After upgrading agents to 9.3, we have noticed a certificate being placed in the personal store on each computer that is updated. Each certificate is issued by "01fb63f3-6706-449d-adcc-1be752db2378" and is valid for 100 years.
I was unable to find any information about this and do not see any threads covering this. Has anyone else noticed this or have any idea why?
I can see these certs also. In fact, i have two. I'm guessing it's something involving the new liveconnect?
With the introduction of the new endpoint fabric in v9.3 we also introduced a new public key infrastructure (PKI) that offers both encryption and digital signatures of the payload between the VSA and the endpoint fabric. When the endpoint first registers itself, the VSA will issue a device certificate to that machine so that only that agent can communicate with the VSA as that device's identity.
On the VSA itself there will indeed be two certs. The first is the parent VSA root certificate, which you can determine as the cert has both the subject and the issuer with the same GUID. That GUID is the internal system VSA guid. You will also see a second certificate which has the Issuer of the VSA Guid, but with the subject of the agent GUID. That cert is for the endpoint on the VSA.
All agents will have a single device certificate, matching the same behavior as the endpoint cert on the VSA. (Obviously with its own agent GUID of course)
Why are we now using digital certificates? It allows us to offer mutual authentication so both the VSA and the endpoint fabric can trust each other. It also allows us to encrypt and digitally sign the payload of information so that only the intended recipient can access the data. Why so much extra security? We have seen in the field deployments where VSA administrators are NOT using a transport security layer like SSL. Even though its our best practices we can't demand our customers to lock down their VSA. So as we threat modeled the type of sensitive information that is now flowing through the endpoint fabric meshed network we decided to defend the data using industry standard crypto with certificates.
You could argue that a 100 year certificate is impractical and just downright silly. I couldn't argue with that. However, since certificate revocation of our own PKI is built into the VSA using much of our automation platform, it doesn't really matter.
The certs are used for many things. For both AuthN and AuthZ operations. From LiveConnect to edge proxy detection and validation. As we continue to move forward with new capabilities more will flow through the endpoint fabric and automatically gain the security benefits of the encryption and digital signatures.
HTH to explain what they are there for. Leave them alone. If you revoke or delete the certs your endpoints won't be trusted and you won't benefit from the secure pipe between your agents and servers.
Thank you for this information Dana!