Configure BeyondInsight Custom Certificates
In your BeyondInsight configuration, you can create certificates rather than use the certificates created and issued by BeyondInsight. You must configure custom certificates in the registry.
Client Certificate Overview
Client certificates are used to authenticate clients and ensure secure transmission of data between agents and BeyondInsight. Each client certificate contains a public and private key pair. During the SSL handshake, the server requests the client certificate. The client authenticates the certificate before initiating the connection and the server validates when it is received.
You can use BeyondInsight generated self-signed client certificates or your own certificates. This allows BeyondInsight to operate in a variety of environments and removes the need to register each system instance with an internet certificate authority.
Client certificates must contain the below details:
- The intended purpose for the certificate. For example, Server Authentication, Client Authentication, or both.
- A Key Usage value of Digital Signature, Key Encipherment, Data Encipherment, Key Agreement.
Certificate Registry Keys
The custom certificates in the certificate chain must be added to the correct locations. Review the following tables to confirm the correct locations for the server and client certificates.
BeyondInsight (Server Side)
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\EMS\Client] | |||
---|---|---|---|
Key |
Value |
Type | Description |
storename | MY | REG_SZ | The store name. The default value is MY if the key is not present. |
servercertname | eEyeEmsServer | REG_SZ |
The server certificate name. Use the name of your trusted certificate. The default value is eEyeEmsServer if the key is not present. Used by Application Bus. |
certname | eEyeEmsClient | REG_SZ |
Needs to be created. The client certificate name. Use the name of your trusted certificate. The default value is eEyeEmsClient if the key is not present. Used by Event Server. |
ValidateCertChain | 0 | DWORD |
Needs to be created. Set to 0 to turn certificate chain validation off. This is the required value. |
Validate Certificates
Review the following section to confirm the certificates you created meet the BeyondInsight requirements:
- Confirm the value for the Key Usage. The key usage must indicate that the certificate can be used as a digital signature.
- Confirm the value for the Enhanced Key Usage. Enhanced key usage must indicate that the certificate can be used for server authentication, client authentication, or both.
- Verify the Subject entry. Note the value provided is the name of the certificate that needs to be added to the registry. This example shows the name of the BeyondTrust client certificate.