This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

zarnous
L2 Linker

‎03-12-2024 10:54 AM

Hi @dgagnon ,

 

When you enable this feature , it , makes the agent not to use the Local Root CA certificate Store anymore and use only the pinned roots.pem certificate file, this PEM file is downloaded with content updates  , which you can see it under the content folder directory - C:\ProgramData\Cyvera\LocalSystem\Download\content

As seen below

zarnous_2-1710265688421.png

 


When the agent starts, restarts, or installed, the roots.pem file gets copied and loaded into the configuration and you can see it under the config directory - C:\Program Files\Palo Alto Networks\Traps\config\roots.pem
As seen below

 

zarnous_1-1710265352300.png


This will give you the assurance that the agent will use the roots.pem.

One more thing i would recommend here, is to also enable the newly introduced field, field “LAST CERTIFICATE ENFORCEMENT FALLBACK” under the Endpoint --> All Endpoints to have this as a check point and see if the agent fallback to use its local store to validate certificates.

zarnous_3-1710265982467.png


Hope that helped!

If that answered the question please feel free to mark this as a solution so other can benefit from!

Best,
Z

Z

View solution in original post

(2)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks