Configure BeyondInsight Custom Certificates

In your BeyondInsight configuration, you can create certificates rather than use the certificates created and issued by BeyondInsight. You must configure custom certificates in the registry.

Client Certificate Overview

Client certificates are used to authenticate clients and ensure secure transmission of data between agents and BeyondInsight. Each client certificate contains a public and private key pair. During the SSL handshake, the server requests the client certificate. The client authenticates the certificate before initiating the connection and the server validates when it is received.

You can use BeyondInsight generated self-signed client certificates or your own certificates. This allows BeyondInsight to operate in a variety of environments and removes the need to register each system instance with an internet certificate authority.

Client certificates must contain the below details:

  • The intended purpose for the certificate. For example, Server Authentication, Client Authentication, or both.
  • A Key Usage value of Digital Signature, Key Encipherment, Data Encipherment, Key Agreement.

Certificate Registry Keys

The custom certificates in the certificate chain must be added to the correct locations. Review the following tables to confirm the correct locations for the server and client certificates.

BeyondInsight (Server Side)

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\EMS\Client]
Key

Value

 Type Description
storename MY REG_SZ The store name. The default value is MY if the key is not present.
servercertname eEyeEmsServer REG_SZ

The server certificate name. Use the name of your trusted certificate.

The default value is eEyeEmsServer if the key is not present. Used by Application Bus.
certname eEyeEmsClient REG_SZ

Needs to be created.

The client certificate name. Use the name of your trusted certificate.

The default value is eEyeEmsClient if the key is not present. Used by Event Server.
ValidateCertChain 0 DWORD

Needs to be created.

Set to 0 to turn certificate chain validation off. This is the required value.

Validate Certificates

Review the following section to confirm the certificates you created meet the BeyondInsight requirements:

    An image of Key Usage on the Certificate screen in the Event Server configuration.

  • Confirm the value for the Key Usage. The key usage must indicate that the certificate can be used as a digital signature.

 

An image of Enhanced Key Usage on the Certificate screen in the Event Server configuration.

  • Confirm the value for the Enhanced Key Usage. Enhanced key usage must indicate that the certificate can be used for server authentication, client authentication, or both.

 

An image of the subject entry on the Certificate screen in the Event Server configuration.

  • Verify the Subject entry. Note the value provided is the name of the certificate that needs to be added to the registry. This example shows the name of the BeyondTrust client certificate.