cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6

ePolicy Orchestrator Certificate-based Authentication

Jump to solution

I have a couple of questions with regards to certificate-based authentication through ePO. First, based on this link:

 

https://kc.mcafee.com/corporate/index?page=content&id=KB86806

 

We are instructed to generate a CA. Is this the only type of certificate that is supported, or are other types of certificates supported?

 

Second, in step 2.c, the instructions are to "enter a password if needed". If a password is entered, will that password need to be used for running commands through cURL for that user?

 

Thank you.

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ePolicy Orchestrator Certificate-based Authentication

Jump to solution

Hello @Former Member 

Thanks for your post.

Supported file types are PKCS7, PEM-encoded, DER-encoded, or PKCS12 files with .cer, .crt, .pem, .der, .p12, .p7b extensions, or a .zip file containing multiple certificate files

This is mentioned in the ePO>Server Settings>Certificate-based Authentication.

curl -k -X GET -u asher: --cert ./ClientCert.pem:HelloWorld --key ./privateKeyclient.pem "https://ePOIPAddress:8443/remote/ext.list"

 

Where:
  • asher - the user name. The password (preceding the colon ":", after asher) is null.
  • ClientCert.pem - the client certificate.
  • HelloWorld - following 'ClientCert.pem:' The keystore password.
  • privateKeyclient.pem - the private key.
  • ePOIPAddress - the IP address of your ePO server.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

5 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: ePolicy Orchestrator Certificate-based Authentication

Jump to solution

Hello @Former Member 

Thanks for your post.

Supported file types are PKCS7, PEM-encoded, DER-encoded, or PKCS12 files with .cer, .crt, .pem, .der, .p12, .p7b extensions, or a .zip file containing multiple certificate files

This is mentioned in the ePO>Server Settings>Certificate-based Authentication.

curl -k -X GET -u asher: --cert ./ClientCert.pem:HelloWorld --key ./privateKeyclient.pem "https://ePOIPAddress:8443/remote/ext.list"

 

Where:
  • asher - the user name. The password (preceding the colon ":", after asher) is null.
  • ClientCert.pem - the client certificate.
  • HelloWorld - following 'ClientCert.pem:' The keystore password.
  • privateKeyclient.pem - the private key.
  • ePOIPAddress - the IP address of your ePO server.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 6

Re: ePolicy Orchestrator Certificate-based Authentication

Jump to solution

Thank you for your reply. I have a quick followup question - when I use

curl -k -X GET -u asher: --cert ./ClientCert.pem:HelloWorld --key ./privateKeyclient.pem "https://ePOIPAddress:8443/remote/ext.list"

to try to run commands through the certificate-based user (i.e. core.help), I get no output at all. curl -v returns the following:

* Rebuilt URL to: https://IP:PORT/
* Trying IP...
* TCP_NODELAY set
* Connected to IP (IP) port PORT (#0)
* schannel: SSL/TLS connection with IP port PORT (step 1/3)
* schannel: checking server certificate revocation
* schannel: using IP address, SNI is not supported by OS.
* schannel: sending initial handshake data: sending 156 bytes...
* schannel: sent initial handshake data: sent 156 bytes
* schannel: SSL/TLS connection with IP port PORT (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with IP port PORT (step 2/3)
* schannel: encrypted data got 1621
* schannel: encrypted data buffer: offset 1621 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with IP port PORT
* schannel: clear security context handle
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

 

Do you have any ideas on what the issue may be?

Thank you.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: ePolicy Orchestrator Certificate-based Authentication

Jump to solution

Not sure which root cert it is referring to, but I would assume probably the epo one.  If you are in the browser to url for epo, you should be able to view the certificate.  Go to certification path tab and if the root cert has red X, click on it and then import it into trusted root store.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: ePolicy Orchestrator Certificate-based Authentication

Jump to solution

Is that through the ePO web GUI, or through the browser itself? I'm using a CA certificate and a user certificate signed with that CA as described in

https://kc.mcafee.com/corporate/index?page=content&id=KB86806

and I'm using Firefox.

 

Thank you.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ePolicy Orchestrator Certificate-based Authentication

Jump to solution

I am not sure which certificate is not trusted.  If you open the epo browser cert and go to certification path, that root needs to be trusted.  I would do the same thing also to the user cert.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community