Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers A small chevron
Stripe + Fleet

Stripe + Fleet

Stripe consolidates multiple tools with Fleet.

Foursquare + Fleet

Foursquare + Fleet

Foursquare quickly migrates to Fleet for device management.

What people are saying

What people are saying

Stories from the Fleet community.

Pricing
More A small chevron
Try it yourself Get a demo
{{thisPage.meta.articleTitle}}
search

mTLS support in fleetd

{{articleSubtitle}}

| The author's GitHub profile picture

Lucas Rodriguez

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Get a demoGet a demo

mTLS support in fleetd

{{articleSubtitle}}

| The author's GitHub profile picture

Lucas Rodriguez

mTLS support in fleetd

The Fleetd Authentication article shows how Fleet's agent, fleetd, authenticates to Fleet and TUF servers.

Additionally, Fleet Premium admins can configure fleetd to use mTLS on top of the existing authentication scheme to further increase the security of agent to server communication.

An icon indicating that this section has important information

The Fleet server itself does not currently provide support for mTLS. Admins that want to use mTLS on their endpoints must setup a load balancer or TLS terminator like AWS's ELB or nginx that support mTLS.

Configuration

Admins can either generate the fleetd installer with the client certificate files included, or, can deploy the client certificate files to devices where fleetd is already installed.

The client certificates must be in PEM format.

Generating fleetd installers with client certificates

When generating the packages, admins can use the following flags to configure the client certificates:

fleetctl package \
  [...]
  # Client certificate to connect to Fleet servers.
  --fleet-tls-client-certificate=/path/to/fleet-client.crt \
  --fleet-tls-client-key=/path/to/fleet-client.key \
  # Client certificates can be provided when connecting to custom TUF servers that require mTLS.
  --update-tls-client-certificate=/path/to/update-client.crt \
  --update-tls-client-key=/path/to/update-client.key \
  --update-url=https://example.tuf.com \
  [...]

When --update-tls-client-certificate and --update-tls-client-key are provided,fleetctl will use them when downloading the fleetd components from the custom TUF server (--update-url).

If you are using fleetd with Fleet Desktop enabled, you may need to specify an alternative host for the "My device" URL (in the Fleet tray icon). Such alternative host should not require client certificates on the TLS connection.

fleetctl package
  [...]
  --fleet-desktop \
  --fleet-desktop-alternative-browser-host=fleet-desktop.example.com \
  [...]

If --fleet-desktop-alternative-browser-host is not used, you will need to configure client TLS certificates on devices' browsers.

Deploying client certificates to devices

An icon indicating that this section has important information

Fleet currently does not natively support deploying client certificates to devices. Tooling like Chef, Ansible, or Puppet could be used for this purpose.

Once fleetd is installed, admins can force fleetd to use mTLS to communicate with Fleet and custom TUF servers by deploying the client certificates to the devices on the following locations:

  • macOS and Linux:
    • Connection to Fleet servers:
      • /opt/orbit/fleet_client.crt
      • /opt/orbit/fleet_client.key
    • Connection to custom TUF servers:
      • /opt/orbit/update_client.crt
      • /opt/orbit/update_client.key
  • Windows:
    • Connection to Fleet servers:
      • C:\Program Files\Orbit\fleet_client.crt
      • C:\Program Files\Orbit\fleet_client.key
    • Connection to custom TUF servers:
      • C:\Program Files\Orbit\update_client.crt
      • C:\Program Files\Orbit\update_client.key

If you are using fleetd with Fleet Desktop enabled, you may need to specify an alternative host for the "My device" URL (in the Fleet tray icon). Such alternative host should not require client certificates on the TLS connection. The ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST environment variable in orbit's configuration can be used to configure the Fleet deskto alternative host. If ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST is not set, you will need to configure client certificates on devices' browsers.

fleetd components using mTLS

Once configured, fleetd will use the provided client certificates on all components so that all communication from the endpoints to Fleet and TUF servers use mTLS.

  • orbit will use the provided client certificates to connect to Fleet servers.
  • orbit will use (if provided) client certificates to connect to custom TUF servers.
  • orbit will configure osqueryd and Fleet desktop to use the provided client certificate to connect to the Fleet server.

If you have suggestions for how to improve mTLS functionality in Fleet, please share them with us in the osquery Slack #fleet channel or open an issue in Github.