Configuring Certificate Manager

You must enable and configure certain features.

The following default settings are configured:

When you import Certificate Manager, the following default settings are configured:

Setting Default value
Action group
  • Restricted targeting disabled (default): All Computers computer group
  • Restricted targeting enabled: No Computers computer group

If the action group was already created in a previous version of Certificate Manager, the action group is not updated.

Scheduled action for default audit settings
  • Maximum Audit Age: 1 Day
  • Port Scan: enabled
  • Log Verbosity: Info
  • Distribute over time: 15 Minutes

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

For information about installing Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Installing Endpoint Configuration.

Optionally, you can use Endpoint Configuration to require approval of configuration changes. When configuration approvals are enabled, Endpoint Configuration does not deploy a configuration change to endpoints until a user with approval permission approves the change. For information about the roles and permissions that are required to approve configuration changes for Certificate Manager, see User role requirements. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

If you enabled configuration approvals, the following configuration changes must be approved in Endpoint Configuration before they deploy to endpoints:

  • Deploying Certificate Manager tools to endpoints
  • User-initiated actions, such as updating Certificate Manager audit settings, certificate exclusions, certificate authorities, and approved ciphers, and uninstalling Certificate Manager

Configure Certificate Manager

Configure the Certificate Manager action group

Importing the Certificate Manager module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Certificate Manager, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Certificate Manager, configuring the Certificate Manager action group is optional.

Select the computer groups to include in the Certificate Manager action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Certificate Manager are included in the Certificate Manager action group.

  1. From the Main menu, go to Administration > Actions > Action Groups.
  2. Click Tanium Certificate Manager.
  3. Select the computer groups that you want to include in the action group and click Save.
    If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Set up Certificate Manager users

You can use the following set of predefined user roles to set up Certificate Manager users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Certificate Manager Operator

Assign the Certificate Manager Operator role to users who manage the deployment of Certificate Manager functionality to endpoints.
This role can perform the following tasks:

  • Update and distribute the Certificate Manager configuration.
  • View Certificate Manager reports and dashboard in Tanium Reporting.
  • Deploy Certificate Manager packages.

Certificate Manager User

Assign the Certificate Manager User role to users who manage the deployment of Certificate Manager functionality to endpoints.
This role can perform the following tasks:

  • View the Certificate Manager configuration.
  • View Certificate Manager reports and dashboard in Tanium Reporting.
  • Deploy Certificate Manager packages.

Certificate Manager Read Only User

Assign the Certificate Manager Read Only User role to users who need visibility into Certificate Manager data.
This role can view the Certificate Manager configuration and Certificate Manager reports and dashboard in Tanium Reporting.

Certificate Manager Configuration Approver

Assign the Certificate Manager Configuration Approver role to users who need to approve Certificate Manager configuration changes in Tanium Endpoint Configuration.
This role can view and approve the proposed Certificate Manager configuration changes in Tanium Endpoint Configuration.

In addition to the Certificate Manager roles, users must also have sufficient management rights, such as All Computers. Otherwise, saved configurations are deployed only to the specific management rights group for the user.

Do not assign the Certificate Manager Service Account role to users. This role is for internal purposes only.

Configure audit settings

You can configure certificate audit settings for all endpoints.

  1. From the Main menu, go to Modules > Certificate Manager > Overview and then click Settings .
  2. Enter a Maximum Audit Age value. The default is 1 day.
  3. (Optional) If you do not need increased details around listening ports and ciphers, clear the Enable Listen Port Scan option.
  4. Select a Log Verbosity. The available options are Info, Warning, Error, and Fatal.
  5. (Optional) If you do not need to prevent spikes in network traffic or other resource consumption, clear the Distribute over time option and then click Save. The default is set to distribute over 15 minutes.

Configure exclusion list

You can specify a list of certificates that you want to exclude from auditing in Certificate Manager.

Certificates that are found on listening ports cannot be excluded by the exclusion list. Only certificates that are found by file or certificate store are excluded by the exclusion list. For more information about certificate discovery methods, see Certificate sources.

  1. From the Main menu, go to Modules > Certificate Manager > Overview, click Settings , and then click the Exclusion List tab.
  2. Enter a certificate by name or fingerprint, select it from the dropdown list, click Add Exclusion, enter an optional note, and then click Submit.

    You can continue entering additional certificates before you click Add Exclusions.

  3. To sort the list, click on any of the column names. The available options are Exclusion, Common Name, Subject, Issuer, Expiration, and SHA-256 Fingerprint.
  4. To view all active and inactive certificate exclusions, select All from the Exclusion options. The available options are All, Active, and Inactive.
    1. To deactivate an active exclusion, select it and then click Deactivate Exclusion.

      You can also select multiple active exclusions and then click Deactivate Exclusions.

    2. To activate an inactive exclusion, select it and then click Activate Exclusion.

      You can also select multiple inactive exclusions and then click Activate Exclusions.

    3. To add or edit a note for a certificate, select it and then click Edit Note.
    4. If you no longer need to exclude a specific certificate, select it and then click Delete .

      You can also select multiple certificates and then click Delete .

Configure certificate authorities

If your organization requires that you use a particular set of certificate authorities (CAs), such as one approved external provider and one or more internal public key infrastructures (PKIs), you can use Certificate Manager to designate these certificates as authorized certificates.

The full certificate chain, which includes the root and all intermediate certificates, must be imported in the Certificate Authorities tab of the Certificate Manager settings.

Obtain the certificate chain for your external CA using OpenSSL

  1. Use OpenSSL to get the certificate chain that is used by a known good site.

    openssl s_client -connect tanium.com:443 -showcerts

  2. Review the response to locate the root and intermediate certificates.

    ClosedClick here to view an example response.

    The example response was shortened to not display the entire certificate contents.

    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = California, L = Emeryville, O = Tanium Inc., CN = *.tanium.com
    verify return:1
    write W BLOCK
    ---
    Certificate chain
    0 s:/C=US/ST=California/L=Emeryville/O=Tanium Inc./CN=*.tanium.com
    i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    -----BEGIN CERTIFICATE-----
    MIIGtzCCBZ+gAwIBAgIQCEq/Uf85v78s/1CqKhKjqjANBgkqhkiG9w0BAQsFADBP
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
    ...
    rij6WpCEkEin0yZBaxYmqpv18XKzoiaY9AhrO0p0QorbQrGKH87zkR+n6Cn8lCKC
    ry4i8sJRuzV7hTWyjylr19b/iHu79bGIpsDrG3Huikm0of076bSzSWEpUQ0tH7XY
    XnShELTAhXGlxPgJX4clpMrG5SKlr0S0FVHU7nZ6GMN47Kd3GuvIfX7NnQ==
    -----END CERTIFICATE-----
    1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    -----BEGIN CERTIFICATE-----
    MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    ...
    EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
    ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
    A7sKPPcw7+uvTPyLNhBzPvOk
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=California/L=Emeryville/O=Tanium Inc./CN=*.tanium.com
    issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, X25519, 253 bits
    ---
    SSL handshake has read 3436 bytes and written 367 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    	Protocol  : TLSv1.3
    	Cipher    : AEAD-AES256-GCM-SHA384
    	Session-ID: 
    	Session-ID-ctx: 
    	Master-Key: 
    	Start Time: 1675375403
    	Timeout   : 7200 (sec)
    	Verify return code: 0 (ok)
    ---
    closed

  3. Copy the first certificate, including the BEGIN/END markers and save the contents to a file that is named trusted_intermediate_certificate_authorities.pem.
  4. Copy the second certificate, including the BEGIN/END markers and save the contents to a file that is named trusted_root_certificate_authorities.pem.

Repeat these steps if you have multiple approved CAs and append each certificate to the two PEM files.

Obtain your internal CA certificates

In many organizations, any internal PKI is implemented using Microsoft's AD-integrated CA, but other solutions are also available.

  1. Sign in to your CA.

    For Microsoft, the CA is likely on a domain controller at a URL that is similar to https://acme-dc01.acme.lab/CertSrv.

  2. Click Download CA certificate.A certnew.crt file downloads to your computer.
  3. Append the contents of the certnew.crt file to your trusted_root_certificate_authorities.pem file.

    If you did not create the two PEM files as described in Obtain the certificate chain for your external CA using OpenSSL, you can rename the certnew.crt file to trusted_root_certificate_authorities.pem and create a blank trusted_intermediate_certificate_authorities.pem file.

Configure and manage authorized CAs

  1. From the Main menu, go to Modules > Certificate Manager > Overview, click Settings , and then click the Certificate Authorities tab.
  2. To manually add a CA, click Add, enter a PEM-encoded certificate and an optional description, and then click Submit.
  3. To import a CA, click Import, click Browse for Files to select a PEM or DER encoded certificate file, and then click Submit.
  4. To view all active and inactive CAs, select All from the Authority options. The available options are All, Active, and Inactive.
    1. To deactivate an active CA, select it and then click Deactivate Authority.

      You can also select multiple active CAs and then click Deactivate Authorities.

    2. To activate an inactive CA, select it and then click Activate Authority.

      You can also select multiple inactive CAs and then click Activate Authorities.

    3. To edit the certificate type or description for a CA, select it and then click Edit Authority.
    4. To delete a CA, select it and then click Delete .

      You can also select multiple CAs and then click Delete .

Configure approved ciphers

Certificate Manager pre-populates the approved cipher suites based on Internet Assigned Numbers Authority (IANA) recommendations. Approval status appears in Certificate Manager dashboards and reports.

The following ciphers are approved by default in Certificate Manager:

  • TLS_DHE_PSK_WITH_AES_128_CCM

  • TLS_DHE_PSK_WITH_AES_256_CCM

  • TLS_DHE_PSK_WITH_AES_128_GCM_SHA256

  • TLS_DHE_PSK_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_CCM

  • TLS_DHE_RSA_WITH_AES_256_CCM

  • TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256

  • TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384

If your organization has a policy for acceptable cipher suites, you can add or remove approvals based on your organization policy.

  1. From the Main menu, go to Modules > Certificate Manager > Overview, click Settings , and then click the Approved Ciphers tab.
  2. To view the list by approval status, select Approved or Not Approved from the Approval Status options. The available options are All, Approved, and Not Approved.
    1. To add an approval for a cipher suite, select one with a Not Approved status and then click Add Approval.

      You can also select multiple cipher suites with a Not Approved status and then click Add Approvals.

    2. To remove an approval for a cipher suite, select one with an Approved status and then click Remove Approval.

      You can also select multiple cipher suites with an Approved status and then click Remove Approvals.