Configuring a mTLS destination
To configure a destination by using mutual TLS authentication (mTLS), select the mTLS protocol from the drop-down list in the add destination wizard.
- Follow the steps to Adding a destination.
- From the Protocol list, select mTLS.
- Enter the following required information:
Option Description TLS truststore source This option determines which certificates are used to authenticate the server when WinCollect initiates a TLS connection. See Configuring a TLS destination by using the Windows certificate stores for steps to configure this setting. Hostname validation Select whether the client verifies that the server’s hostname matches either the Common Name or Subject Alternative Names in the incoming server certificate before a connection is made.Important: It is recommended to leave this option enabled to ensure that the provided certificate belongs to the server. Disabling it enables the client to accept incoming certificates that do not belong to the server.
- Select a Client Certificate Source. This option determines which type of certificate is used to configure the mTLS connection. Your selection determines which fields are required.
- Select Certificate and key to use a client certificate file, an
encrypted private key file, and a passphrase. The following fields are required for this
mTLS client certificate Use an "@" followed by the file path to a PEM format file. The file must contain one or more certificates to use for client authentication when WinCollect initiates a TLS connection to the server. You can use a single certificate or a chain of certificates. mTLS client private key
Use an "@" followed by the file path to a PEM format file. The file must contain the private key that is used to generate the client certificate.
You must use an RSA or ECC key that is encrypted with a passphrase.
mTLS passphrase Enter the passphrase used to encrypt the mTLS client private key.
- Select PKCS#12 file to use a PKCS#12 (PFX) format file that
contains a certificate and private key. You must also provide the passphrase to decrypt the PKCS#12
mTLS client certificate and key pair Use an "@" followed by the file path to a PKCS#12 (PFX) format file. The file must contain the certificate to use for client authentication when WinCollect initiates a TLS connection to the server, and the associated private key. You can use a single certificate or a chain of certificates.Note: Only one pair of private key and associated certificate can be contained in the file. If multiple pairs are present, only the first pair that is found is used. If more certificates are contained in the file, they are included as a certificate chain. mTLS passphrase Enter the passphrase used to encrypt the PKCS#12 file. Because the PKCS#12 file must be encrypted with a passphrase, this field is required.
- Select Windows certificate store to use a certificate and
associated private key that is installed in a Windows
certificate store on the local machine. The certificate must have a corresponding private key that
is installed with it (for example, by installing it as a .p12 file), and the
private key must be set as Exportable when you install it.
mTLS client certificate store This is the certificate store to search for the client certificate in. This certificate store must be available to the local machine. Any stores available only to a certain user are not checked.Note: The certificate store name that is shown in the Windows certificate management console might be an alias for the real certificate store name. You can generally find the real certificate store names by using PowerShell (
mTLS client certificate thumbprint This is the thumbprint, or
SHA1hash of the certificate to be used. You can find this value in the Details of your certificate in the Windows certificate management console.
- Select Certificate and key to use a client certificate file, an encrypted private key file, and a passphrase. The following fields are required for this option.
- Click Save. The WinCollect agent attempts to connect to the destination by using TLS with mutual authentication.Note: To ensure that client certificates provided for connecting with mTLS are valid, a message is logged when a client certificate is expiring soon. This check is performed when a Destination first connects and is logged as an
INFOmessage. Also, a
WARNmessage is logged daily for each client certificate that is expiring soon. You can configure the amount of time that is left until a certificate expires that triggers these warnings by updating the Certificate expiry warning threshold parameter in the Advanced UI. The default threshold is 30 days.