During TLS hand-shake server sends it's certificate to client and it's up to the client how to verify the authenticity of the certificate. Snare Agent has two modes of server certificate checking i.e. 'Accept any' and 'Strict Certificate Checking' as shown in following diagram.

Open

Next, it is explained how to enable and test strict certificate checking in Snare Agents. This is applicable to Windows/Lunix/macOS Snare Agents.

 Create Server Certificate

These steps can be performed on any Windows/Linux/macOS machine. OpenSSL is needed for these steps. On Linux/macOS machines OpenSSL is already installed and for Windows the OpenSSL.exe can be downloaded from https://slproweb.com/products/Win32OpenSSL.html

• Copy the following text into an empty text file and save it as .conf file

• (optional - only needed for strict certificate checking) Now make changes as per the Server machine. The *most* important properties are CN and DNS.x.

• For example, if the Server name is WIN81 (that is one of VM in Snare test lab) the the .conf file will look as following

• Now run the following command to generate the .CSR file from the .conf file.

• The above step will also create the private key fle company_san.private

• Run following command to validate the .csr file and make sure there is no error reported

• Specifically check that the CN and 'Subject Alternative Name' are correct and corresponds to the server machine. Without 'Subject Alternative Name' the certificate checking will fail on macOS 10.15+ https://support.apple.com/en-us/HT210176

Open

• Run following command to extract the public key from .csr file.

• Create Selft-Signed Certificate (Windows/Linux/macOS)

  • Use following openssl command to cretae self signed certificate using recently created .csr and public key .pem files

• Create CA Certificate (Windows/Linux/macOS)

  • Provide the .csr and publickey.pem files to your CA and get CA signed certificate

  • The CA should provide Base 64 Decoded 

    • certificate.cer

    • CA certificate chain .p7b file

  • (Windows Only) also get the latest certificate revocation list file(s) from CA

    • latest base CRL .crl

    • latest delta CRL .crl

• Then run following command to combine private key and server certificate .cer into a single .pfx File

• Next we need to install the certificate.pfx on server and root certificate .p7b file to client side using following steps.

Server Side Certificate

• Windows

  • Import the certificate.pfx into Windows Certificate Manager (( open cmd >> mmc >> add remove snap>> add certificate(Use system account) >> then select personal folder >> Right click Certificate >> All tasks >>import ). Remember to check "Mark this key as Exportable"

• After import, the certificate is shown under Personal\Certificates as shown in following screenshot:
  
  

• Double click the newly installed certificate i.e. WIN81.snare.ia in this case and go to 'Details' tab and then select the Thumbprint and it will show the thumbprint string. Now down this string as shown in following screenshot.
  
  

• Open SAM GUI => General settings and select the newly installed certificate for "Agent HTTPS Certificate". The certificate is identified by it's "Thumbprint".

Linux

If server certificate is being used by Snare Server then, follow these steps to install the server certificate alongwith privte/public keys https://support.prophecyinternational.com/s/article/Using-a-CA-signed-cert-on-Snare-Server and https://prophecyinternational.atlassian.net/wiki/spaces/Snare/pages/893485237

Client Side Certificate

On client side, the root Certificate Authority (CA) needs to be installed so that the server side certificate can be vlidated. The Snare agent can run on Windows/Linux/macOS so we have separate instructions for each OS.

Windows

• Import the root certificate chain .p7b into Windows Certificate Manager (( open cmd >> mmc >> add remove snap>> add certificate(Use system account) >> then select 'Trusted Root Certificate Authorities' >> Right click >> All tasks >>import ) and impor the .p7b file. After import the certificate maager will show the Snare CA as following:

• Also import both CRL files into Trusted Root Certificate Authorities\Certificate Revocation List. After import the Certificate Revocation List will look like this
  
  

Linux

• (only if certificated is created by CA i.e. it’s not self-signed certificate) Get the root certificate file .crt for the CA. This .crt file is NOT server certificate that was created using CSR

• Now copy the downloaded root certificate to /usr/share/ca-certificates/

• Run following code to install the root certificate

• Select the certificate.crt by pressing space and then continue and root certificate will be installed on client side

macOS

• (only if certificated is created by CA i.e. it’s not self-signed certificate) Get the root certificate file .crt for the CA. This .crt file is NOT server certificate that was created using CSR

• Double click certificate.crt file

• Select "System" from Keychain drop-down box and press Add

• Open "Keychain" app

• Go to 'System' keychain and Select the option 'Certificates' from category

• snare-WINxxxxx certificate will be shown

• Double click the certificate and go to 'Trust'

• Select 'Always Trust' from the drop-down box 'When using this certificate' and close the box from left (it must ask for admin password)

• This is also explained at   and 

Common Step for Windows/Linux/macOS

• Once root certificate authority certificate is installed

• Open Agent GUI => Security Certificates => Snare Agent Manager Certificate Verification => strict checking

• Open Agent GUI => Access Configuration => put hostname that was given in .conf file i.e. WIN81.snare.ia or WIN81 or WIN81.ia

• Make sure that from client machine, the SAM hostname can be pingged