How it works

When the persistent MetaAccess agent is installed, or the on-demand MetaAccess agent is run, a client certificate is silently installed in the personal certificate store of the current user* or keychain on the endpoint. This certificate is self-signed by OPSWAT.

* on Windows, you must use certmgr.msc to be able to verify it.

MetaAccess uses the certificate Subject DN to provide the device identifier. The format of the Subject is:CN = www.opswat.comO = OPSWATL = San FranciscoS = CAC = US0.9.2342.19200300.100.1.1 = {Device ID}

The OID in dot notation above (0.9.2342.19200300.100.1.1) is also referenced as device ID.

When the persistent MetaAccess agent is uninstalled, or the on-demand MetaAccess agent is exited, MetaAccess agent will remove the client certificate. Therefore the presence of the client certificate can be used to infer the presence of MetaAccess agent and vice-e-versa.

Installing client certificates on endpoints is controlled in the MetaAccess account settings.

The configuration needed to request and read the client certificate is different for every web server. There are typically options to make the certificate required or optional, as well as to enforce validation versus a CA (the OPSWAT CA in this case). If using Nginx for example, you would configure the server with the ssl_verify_client setting and a parameter of on, optional, or optional_no_ca. The contents of the certificate would then be available to the server as variables $ssl_client_cert or $ssl_client_s_dn.

Supported Browsers

As of November 10th, 2016, the client certificate is supported on both Windows and macOS.

*: MetaAccess agent couldn't insert client certificate to Firefox database if Firefox is running.