Technical Tip: Cert-Check Custom Scan
Description
This article discusses Cert-Check Custom Scan.
Scope
FortiNAC, FortiNAC -F.
Solution
Cert-Check is one of the Custom Scans available for Endpoint Compliance Policies for Windows hosts. This scan searches for a specific SSL Certificate installed on the host.
The certificate being scanned must have a Common Name that should match the host`s FQDN, and be installed in the following locations:
- On the host in the Certificate Store under Local Computer > Personal > Certificates.
- In Network Sentry's Persistent Agent Cert-Check target under System -> Settings -> Security -> Certificate Management.
The below configuration may be used for a reference.
- Create a TLS-Client certificate that has a Common Name that matches host FQDN
- Check if the Local Root CA has already been imported in the client as a Trusted Certificate.
- Import the same Local Root CA under FortiNAC System -> Settings -> Security -> Certificate Management -> Persistent Agent Cert-Check.
- Create a Custom Scan for Certification-Check.
For further details, refer to the Online Help topic Create Custom Scans For Windows.