Deploying certificate audits

Refresh a certificate audit on one or more endpoints by deploying a certificate audit package.

You can also configure port exclusions if you want Certificate Manager to ignore server certificates on a specific listening port.

Deploy a certificate audit package

  1. From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
  2. Select Certificate Audit [Non-Windows] or Certificate Audit [Windows] and then click Deploy Action.
  3. In the Targeting Criteria section, choose an option to target one or more endpoints and then click Show Preview to Continue.

    To run the certificate audit on all endpoints, select All non-Windows or All Windows for Action Group.

  4. Verify the list of targeted endpoints and then click Deploy Action.

Verify that a certificate audit completed successfully

  1. From the Main menu, go to Administration > Actions > Action History and search for Certificate Audit.
  2. Select one or more actions that correspond with the Certificate Audit [Non-Windows] or Certificate Audit [Windows] packages and click Show Status.
  3. In the States of machines section, verify that the status is Completed.
    For more information about action states, see Tanium Console User Guide: View action status.

If you are not seeing expected results in the Certificate Manager reports, see Unexpected certificate audit results.

Configure certificate port exceptions

You can add or delete port exclusions by deploying the following packages:

  • Certificate Audit Add Port Exclusions [Non-Windows]
  • Certificate Audit Add Port Exclusions [Windows]
  • Certificate Audit Delete Port Exclusions [Non-Windows]
  • Certificate Audit Delete Port Exclusions [Windows]

Add port exclusions

  1. From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
  2. Select Certificate Audit Add Port Exclusions [Non-Windows] or Certificate Audit Add Port Exclusions [Windows] and then click Deploy Action.
  3. In the Deployment Package section, enter the Ports to Exclude.
  4. In the Targeting Criteria section, choose an option to target one or more endpoints and then click Show Preview to Continue.

    To add the port exclusion for all endpoints, select All non-Windows or All Windows for Action Group.

  5. Verify the list of targeted endpoints and then click Deploy Action.

Delete port exclusions

  1. From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
  2. Select Certificate Audit Delete Port Exclusions [Non-Windows] or Certificate Audit Delete Port Exclusions [Windows] and then click Deploy Action.
  3. In the Deployment Package section, enter the Ports to no longer exclude.
  4. In the Targeting Criteria section, choose an option to target one or more endpoints and then click Show Preview to Continue.

    To delete the port exclusion for all endpoints, select All non-Windows or All Windows for Action Group.

  5. Verify the list of targeted endpoints and then click Deploy Action.

Although the Certificate Audit Port Exclusions sensor displays the updated exclusions, the port exclusions do not take effect until after the next certificate audit runs. You can either Deploy a certificate audit package manually, or wait until the next Certificate Audit [Non-Windows] and Certificate Audit [Windows] scheduled actions run.

Configure authorized certificate authorities

If your organization requires that you use a particular set of certificate authorities (CAs), such as one approved external provider and one or more internal public key infrastructures (PKIs), you can use Certificate Manager to designate these certificates as authorized certificates.

The full certificate chain, which includes the root and all intermediate certificates, must be imported to the audit package.

Obtain the certificate chain for your external CA using OpenSSL

  1. Use OpenSSL to get the certificate chain that is used by a known good site.

    openssl s_client -connect tanium.com:443 -showcerts

  2. Review the response to locate the root and intermediate certificates.

    ClosedClick here to view an example response.

    The example response was shortened to not display the entire certificate contents.

    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = California, L = Emeryville, O = Tanium Inc., CN = *.tanium.com
    verify return:1
    write W BLOCK
    ---
    Certificate chain
    0 s:/C=US/ST=California/L=Emeryville/O=Tanium Inc./CN=*.tanium.com
    i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    -----BEGIN CERTIFICATE-----
    MIIGtzCCBZ+gAwIBAgIQCEq/Uf85v78s/1CqKhKjqjANBgkqhkiG9w0BAQsFADBP
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBE
    ...
    rij6WpCEkEin0yZBaxYmqpv18XKzoiaY9AhrO0p0QorbQrGKH87zkR+n6Cn8lCKC
    ry4i8sJRuzV7hTWyjylr19b/iHu79bGIpsDrG3Huikm0of076bSzSWEpUQ0tH7XY
    XnShELTAhXGlxPgJX4clpMrG5SKlr0S0FVHU7nZ6GMN47Kd3GuvIfX7NnQ==
    -----END CERTIFICATE-----
    1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    -----BEGIN CERTIFICATE-----
    MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    ...
    EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
    ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
    A7sKPPcw7+uvTPyLNhBzPvOk
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=California/L=Emeryville/O=Tanium Inc./CN=*.tanium.com
    issuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, X25519, 253 bits
    ---
    SSL handshake has read 3436 bytes and written 367 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    	Protocol  : TLSv1.3
    	Cipher    : AEAD-AES256-GCM-SHA384
    	Session-ID: 
    	Session-ID-ctx: 
    	Master-Key: 
    	Start Time: 1675375403
    	Timeout   : 7200 (sec)
    	Verify return code: 0 (ok)
    ---
    closed

  3. Copy the first certificate, including the BEGIN/END markers and save the contents to a file that is named trusted_intermediate_certificate_authorities.pem.
  4. Copy the second certificate, including the BEGIN/END markers and save the contents to a file that is named trusted_root_certificate_authorities.pem.

Repeat these steps if you have multiple approved CAs and append each certificate to the two PEM files.

Obtain your internal CA certificates

In many organizations, any internal PKI is implemented using Microsoft's AD-integrated CA, but other solutions are also available.

  1. Sign in to your CA.

    For Microsoft, the CA is likely on a domain controller at a URL that is similar to https://acme-dc01.acme.lab/CertSrv.

  2. Click Download CA certificate.
    A certnew.crt file downloads to your computer.
  3. Append the contents of the certnew.crt file to your trusted_root_certificate_authorities.pem file.

    If you did not create the two PEM files as described in Obtain the certificate chain for your external CA using OpenSSL, you can rename the certnew.crt file to trusted_root_certificate_authorities.pem and create a blank trusted_intermediate_certificate_authorities.pem file.

Add the files to the packages in Tanium

  1. From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
  2. For each of the following packages, select the package and then click Edit.
    • Certificate Audit [Non-Windows]
    • Certificate Audit [Windows]
  3. In the Files section, click Add File > Local Files to add the trusted_root_certificate_authorities.pem and trusted_intermediate_certificate_authorities.pem files and then click Save.

If you upgrade Certificate Manager, you must Add the files to the packages in Tanium and Update and reissue scheduled actions again.

Update and reissue scheduled actions

After you add the two PEM files to the packages, you must update the source packages. You can then either reissue the scheduled actions manually or wait for the next scheduled actions to run.

  1. From the Main menu, go to Administration > Actions > Scheduled Actions and search for Certificate.
  2. For each of the following scheduled actions, click Update source package to get the latest source package.
    • Certificate Audit [Non-Windows]
    • Certificate Audit [Windows]
  3. For each of the following scheduled actions, select the package and then click Reissue.
    • Certificate Audit [Non-Windows]
    • Certificate Audit [Windows]
  4. In the Targeting Criteria section, click Show Preview To Continue and then click Reissue Action.
  5. View unauthorized certificates to verify that there are fewer unauthorized certificates.

Add certificate exceptions

If you want to manually add known certificates for Certificate Manager to consider as authorized certificates, you can create a customer-exceptions.csv file to add to the certificate audit packages.

  1. Create a comma-separated customer-exceptions.csv file with the following columns:
    • Thumbprint
    • Subject
    • Reason for exception
    • Date added
  2. From the Main menu, go to Administration > Content > Packages and search for Certificate Audit.
  3. For each of the following scheduled actions, select the package and then click Edit.
    • Certificate Audit [Non-Windows]
    • Certificate Audit [Windows]
  4. In the Files section, click Add File > Local Files, click Browse for Files to select the customer-exceptions.csv file that you created, and then click Save.
  5. From the Main menu, go to Administration > Actions > Scheduled Actions and search for Certificate.
  6. For each of the following scheduled actions, click Update source package to get the latest source package.
    • Certificate Audit [Non-Windows]
    • Certificate Audit [Windows]
  7. Deploy a certificate audit package and View unauthorized certificates to verify that there are fewer unauthorized certificates.