2.3. Client Certificate

While the browser cookie is a better user experience for the end-user and can be easier to integrate, it is not as reliable as the client certificate. Using them together can be very effective by first checking for the cookie and then falling back to the certificate if no cookie is present. This provides a better user experience when the cookie is present, but doesn’t fail if the cookie is not available for some reasons.

How it works

When the persistent MetaAccess agent is installed, or the on-demand MetaAccess agent is run, a client certificate is silently installed in the personal certificate store of the current user* or keychain on the endpoint. This certificate is self-signed by OPSWAT.

* on Windows, you must use certmgr.msc to be able to verify it.

MetaAccess uses the certificate Subject DN to provide the device identifier. The format of the Subject is:CN = www.opswat.comO = OPSWATL = San FranciscoS = CAC = US0.9.2342.19200300.100.1.1 = {Device ID}

images/download/attachments/34554432/sample-certificate.png

The OID in dot notation above (0.9.2342.19200300.100.1.1) is also referenced as device ID.

When the persistent MetaAccess agent is uninstalled, or the on-demand MetaAccess agent is exited, MetaAccess agent will remove the client certificate. Therefore the presence of the client certificate can be used to infer the presence of MetaAccess agent and vice-e-versa.

Installing client certificates on endpoints is controlled in the MetaAccess account settings.

images/download/attachments/34554432/integrations-2.PNG

The configuration needed to request and read the client certificate is different for every web server. There are typically options to make the certificate required or optional, as well as to enforce validation versus a CA (the OPSWAT CA in this case). If using Nginx for example, you would configure the server with the ssl_verify_client setting and a parameter of on, optional, or optional_no_ca. The contents of the certificate would then be available to the server as variables $ssl_client_cert or $ssl_client_s_dn.

Supported Browsers

As of November 10th, 2016, the client certificate is supported on both Windows and macOS.

Browser

Windows

macOS

Chrome 34+

images/download/attachments/34554432/Yes.PNG

images/download/attachments/34554432/Yes.PNG

Firefox* 28+

images/download/attachments/34554432/Yes.PNG

images/download/attachments/34554432/Yes.PNG

Internet Explorer 8+

images/download/attachments/34554432/Yes.PNG

images/download/attachments/34554432/image2016-11-10_14_54_37.png

Safari

images/download/attachments/34554432/image2016-11-10_14_54_37.png

images/download/attachments/34554432/Yes.PNG

Legend

Description

images/download/attachments/34554432/Yes.PNG

Supported

images/download/attachments/34554432/image2016-11-10_14_54_37.png

Not available

*: MetaAccess agent couldn't insert client certificate to Firefox database if Firefox is running.