Deploying certificate audits
Refresh a certificate audit on one or more endpoints by deploying a certificate audit package.
You can also configure port exclusions if you want Certificate Manager to ignore server certificates on a specific listening port.
Deploy a certificate audit package
- From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
- Select Certificate Audit [Non-Windows] or Certificate Audit [Windows] and then click Deploy Action.
- In the Targeting Criteria section, choose an option to target one or more endpoints and then click Show Preview to Continue.
To run the certificate audit on all endpoints, select All non-Windows or All Windows for Action Group.
- Verify the list of targeted endpoints and then click Deploy Action.
Verify that a certificate audit completed successfully
- From the Main menu, go to Administration > Actions > Action History and search for Certificate Audit.
- Select one or more actions that correspond with the Certificate Audit [Non-Windows] or Certificate Audit [Windows] packages and click Show Status.
- In the States of machines section, verify that the status is Completed.
For more information about action states, see Tanium Console User Guide: View action status.
If you are not seeing expected results in the Certificate Manager reports, see Unexpected certificate audit results.
Configure certificate port exceptions
You can add or delete port exclusions by deploying the following packages:
- Certificate Audit Add Port Exclusions [Non-Windows]
- Certificate Audit Add Port Exclusions [Windows]
- Certificate Audit Delete Port Exclusions [Non-Windows]
- Certificate Audit Delete Port Exclusions [Windows]
Add port exclusions
- From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
- Select Certificate Audit Add Port Exclusions [Non-Windows] or Certificate Audit Add Port Exclusions [Windows] and then click Deploy Action.
- In the Deployment Package section, enter the Ports to Exclude.
- In the Targeting Criteria section, choose an option to target one or more endpoints and then click Show Preview to Continue.
To add the port exclusion for all endpoints, select All non-Windows or All Windows for Action Group.
- Verify the list of targeted endpoints and then click Deploy Action.
Delete port exclusions
- From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
- Select Certificate Audit Delete Port Exclusions [Non-Windows] or Certificate Audit Delete Port Exclusions [Windows] and then click Deploy Action.
- In the Deployment Package section, enter the Ports to no longer exclude.
- In the Targeting Criteria section, choose an option to target one or more endpoints and then click Show Preview to Continue.
To delete the port exclusion for all endpoints, select All non-Windows or All Windows for Action Group.
- Verify the list of targeted endpoints and then click Deploy Action.
Although the Certificate Audit Port Exclusions sensor displays the updated exclusions, the port exclusions do not take effect until after the next certificate audit runs. You can either Deploy a certificate audit package manually, or wait until the next Certificate Audit [Non-Windows] and Certificate Audit [Windows] scheduled actions run.
Configure authorized certificate authorities
If your organization requires that you use a particular set of certificate authorities (CAs), such as one approved external provider and one or more internal public key infrastructures (PKIs), you can use Certificate Manager to designate these certificates as authorized certificates.
The full certificate chain, which includes the root and all intermediate certificates, must be imported to the audit package.
Obtain the certificate chain for your external CA using OpenSSL
- Use OpenSSL to get the certificate chain that is used by a known good site.
openssl s_client -connect tanium.com:443 -showcerts
- Review the response to locate the root and intermediate certificates.
- Copy the first certificate, including the BEGIN/END markers and save the contents to a file that is named trusted_intermediate_certificate_authorities.pem.
- Copy the second certificate, including the BEGIN/END markers and save the contents to a file that is named trusted_root_certificate_authorities.pem.
Click here to view an example response.Repeat these steps if you have multiple approved CAs and append each certificate to the two PEM files.
Obtain your internal CA certificates
In many organizations, any internal PKI is implemented using Microsoft's AD-integrated CA, but other solutions are also available.
- Sign in to your CA.
For Microsoft, the CA is likely on a domain controller at a URL that is similar to https://acme-dc01.acme.lab/CertSrv.
- Click Download CA certificate.
A certnew.crt file downloads to your computer. - Append the contents of the certnew.crt file to your trusted_root_certificate_authorities.pem file.
If you did not create the two PEM files as described in Obtain the certificate chain for your external CA using OpenSSL, you can rename the certnew.crt file to trusted_root_certificate_authorities.pem and create a blank trusted_intermediate_certificate_authorities.pem file.
Add the files to the packages in Tanium
- From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
- For each of the following packages, select the package and then click Edit.
- Certificate Audit [Non-Windows]
- Certificate Audit [Windows]
- In the Files section, click Add File > Local Files to add the trusted_root_certificate_authorities.pem and trusted_intermediate_certificate_authorities.pem files and then click Save.
If you upgrade Certificate Manager, you must Add the files to the packages in Tanium and Update and reissue scheduled actions again.
Update and reissue scheduled actions
After you add the two PEM files to the packages, you must update the source packages. You can then either reissue the scheduled actions manually or wait for the next scheduled actions to run.
- From the Main menu, go to Administration > Actions > Scheduled Actions and search for Certificate.
- For each of the following scheduled actions, click Update source package
to get the latest source package.- Certificate Audit [Non-Windows]
- Certificate Audit [Windows]
- For each of the following scheduled actions, select the package and then click Reissue.
- Certificate Audit [Non-Windows]
- Certificate Audit [Windows]
- In the Targeting Criteria section, click Show Preview To Continue and then click Reissue Action.
- View unauthorized certificates to verify that there are fewer unauthorized certificates.
Add certificate exceptions
If you want to manually add known certificates for Certificate Manager to consider as authorized certificates, you can create a customer-exceptions.csv file to add to the certificate audit packages.
- Create a comma-separated customer-exceptions.csv file with the following columns:
- Thumbprint
- Subject
- Reason for exception
- Date added
- From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
- For each of the following scheduled actions, select the package and then click Edit.
- Certificate Audit [Non-Windows]
- Certificate Audit [Windows]
- In the Files section, click Add File > Local Files, click Browse for Files to select the customer-exceptions.csv file that you created, and then click Save.
- From the Main menu, go to Administration > Actions > Scheduled Actions and search for Certificate.
- For each of the following scheduled actions, click Update source package to get the latest source package.
- Certificate Audit [Non-Windows]
- Certificate Audit [Windows]
- Deploy a certificate audit package and View unauthorized certificates to verify that there are fewer unauthorized certificates.
Last updated: 3/14/2023 1:24 PM | Feedback