Activating the verification of the SSL / TLS certificate

Attention

For simplicity, it is better to run theses steps before launching the WAPT console

The WAPT agent checks the HTTPS server certificate according to the verify_cert value in section [global] in C:\Program Files (x86)\wapt\wapt-get.ini.

Options for “verify_cert”
Options for verify_cert Working principle of the WAPT agent
verify_cert = 0 the WAPT agent will not check the WAPT Server HTTPS certificate
verify_cert = 1 the WAPT agent will check the WAPT Server HTTPS certificate using the certificate bundle C:\Program Files (x86)\wapt\ssl\srvwapt.mydomain.lan.crt
verify_cert = C:\Program Files (x86)\wapt\ssl\srvwapt.mydomain.lan.crt the WAPT agent will check the WAPT Server HTTPS certificate with the certificate bundle C:\Program Files (x86)\wapt\lib\site-packages\certifi\cacert.pem

Hint

When using commercially issued certificates, it is advised to use the pinning method for more security.

Two methods are available for verifying the SSL/ TLS certificates:

  • by default (verify_cert = 1) with the certificate bundle contained in the standard Python certifi module;
  • by specifying the bundle that will be downloaded and activated with the command wapt-get enable-check-certificate (certificate pinning);

Pinning the certificate

The pinning of certificate consists of verifying the SSL/ TLS certificate with a well defined and restricted bundle, instead of relying on the bundles from Certificate Authorities contained in the certificate store provided by default with Windows of with your Linux distribution.

Hint

This method is useful even when using a certificate issued by a Trusted Authority.

By specifying a bundle with the enable-check-certificate command, you restrict the list of Certificate Authorities that you trust.

The pinning of certificates issued by a Certificate Authority trusted by the Organization is the best method.

For this, you need to launch the following commands in the Windows cmd.exe shell (with elevated privileges if UAC is active).

If you already have a Windows cmd.exe shell open, close it and open a new shell so to take into account the updated environment variables:

wapt-get enable-check-certificate
net stop waptservice
net start waptservice

Modify (C:\Program Files (x86)\wapt\ssl\srvwapt.mydomain.lan.crt) to add inside it the certificate of the ‘Certificate Authority:

-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgIQZvmdd8Fe0dhWbVj+l8GrrDANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G

.......             WAPT server certificate              .......

WYmTeGzHxODu0TPOUwoRJu0v/Q75/HzXt9mqmJLVS5UR3qcas0fXvtYOLkuJ4xe1
5T51oFRQ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk

.......     certificate of the Certificate Authority     .......

PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----

Validate the certificate by using the following command:

wapt-get update

When you have executed the update command, make sure that everything has gone well, and if in doubt check Problems when enabling enable-check-certificate.

Note

the command enable-check-certificate downloads the certificate srvwapt.mydomain.lan.crt in the folder C:\Program Files (x86)\WAPT\ssl ;

it then modifies the file wapt-get.ini to specify the value verify_cert = C:\Program Files (x86)\wapt\ssl\srvwapt.mydomain.lan.crt ;

the WAPT agent will now verify certificates using the pinned certificate;

Attention

If you use the certificate pinning method, be reminded to archive the /opt/wapt/waptserver/ssl folder on your WAPT Server.

The file will have to be restored on your server if you migrate or upgrade your WAPT Server, if you want the WAPT agents to continue being able to establish trusted HTTPS connections.

Certificate verification

Verifying the certificate in the WAPT console

When the WAPT console first starts, it reads the content of C:\Program Files (x86)\WAPT\wapt-get.ini and it builds its configuration file C:\Users\admin\AppData\Local\waptconsole\waptconsole.ini.

We find the verify_cert attribute that defines the behavior of the WAPT console in regards the HTTPS connection with the WAPT Server.

You may now proceed to the next step and start the WAPT console.