WARP Device posture fails to find certificate in client Windows machine

ilmar.ferreira · November 1, 2023, 4:33am

Hi. Im using the WARP 2023.9.107.1 for Windows 10 and Im facing a very interesting issue:
The Device Posture check fails to find an installed root certificate and therefore the check fails itself. Any ideas?

Also, it seems its looking for the root certificate thumbprint instead of the leaf certificate Ive configured in the Device Posture check in Zero Trust.

Logs

2023-10-30T02:17:15.210Z DEBUG main_loop: warp::warp_service::ipc_handlers: Ipc request: 89b203cf-0698-410a-975f-7d3a99f60960; GetAppSettings
2023-10-30T02:17:15.326Z DEBUG get identity: cert_manager::cert_store::windows: Successfully changed security context
2023-10-30T02:17:15.327Z DEBUG device_posture: No matching CN found cn=“James Royal”
2023-10-30T02:17:15.327Z DEBUG warp::warp_service::api_handlers: Sending posture check results
2023-10-30T02:17:15.327Z DEBUG warp::warp_api::registration: patch_posture_rules: {“5c56c9a7-c079-4de7-b1c1-c69928b5254c”:{“timestamp”:“2023-10-30T02:17:15.327745Z”,“check”:{“type”:“client_certificate”,“certificate_id”:“742d1f23-881f-4131-b616-388ac3bec566”,“exists”:false}}}
2

cleydson · November 21, 2023, 3:58pm

Hello Imar,

I was having the same problem as you. I managed to solve it as follows:

1 - I created the CA certificate and its key:

openssl req -x509 -newkey rsa:4096 -sha256 -keyout privateKey.key -out certificate.crt -days 3650 -subj “/CN=<your_environment>” -nodes

2 - I created a .pfx with certificate and generated key.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

3 - I performed the certificate import procedure as mentioned in the Cloudflare documentation.

curl “[Preformatted text](https://api.cloudflare.com/client/v4/accounts/{account_id}/mtls_certificates)”
–header “X-Auth-Email: ”
–header “X-Auth-Key: <API_KEY>”
–header “Content-Type: application/json”
–date ‘{
“name”: “example_ca_cert”,
“certificates”: “-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----”,
“private_key”: “-----BEGIN PRIVATE KEY-----\nXXXXX\n-----END PRIVATE KEY-----”,
“ca”: true
}’

5 - When installing the certificate on my machine (Windows 11), I marked it as “Current User” and allowed it to be installed in the repository automatically. So the certificate remained as a user certificate in the Personal folder → Certificates.

With this, the posture began to be validated correctly.