Hello WinCollect Users!
We have some exciting news today.
With the previous release of WinCollect 10.1.1 and support for mTLS that went along with it, the next release of WinCollect 10.1.2 comes with added support for using the Windows Certificate Store as the default TLS trust store.
The bottom-line of what this means for our users is that they no longer need to manually provide the location or contents of a server certificate to the agent in order for mutual authentication to work with TLS. As long as the needed root server certificate is installed on the Windows endpoint machine.
To explain further since, Certificates in general are a complex topic, here are a couple of real world use cases that most of our users will likely encounter in the field:
- The TLS server you’re sending to has a certificate issued by an internal CA in your organization. As long as the endpoint running Wincollect has this certificate installed (Directy, Pushed via Group Policy, etc) then secure communication will be established by simply choosing this new option.
- Your TLS server has a certificate purchased or issued by a known CA (Digicert, Verisign, LetsEncrypt, etc). These root certificates are the basis of day-to-day SSL communication on the Internet and are included by default in Windows and updated on a regular basis, so choosing this new option will establish certificate trust with those as well without any other additional steps required.
In short, as long as the required certificates are installed, then they can simply select this newly added option and add the additional required fields when setting up a destination using mTLS in the WinCollect UI. More info on the new field changes here.
We hope that all our users are as excited about this new feature as the team is. This is a game changer when it comes to the usability and ease of setting up multiple standalone agents with mTLS as certificates can be bulk installed across multiple boxes in a deployment and if the agent was already on an older version of WinCollect 10 then a simple upgrade script to change to the trust store source is all that is needed. See below:
To generate your new mTLS private key passphrase please see our other blog here the steps are outline in the first portion of the post.
The WinCollect team is especially proud of this new feature and how it simplifies a complicated topic like establishing trust with Certificates that most people will often misunderstand. This even has the added benefit of taking out all of the guess work (and opening of support cases) of trying to figure out if a required certificate has already been installed as they are all stored in the Windows certificate manager and can easily be confirmed.
We also truly believe that this is the best option security wise, that moving forward it will be the default option for new destinations opting to use the mTLS protocol.
Let us know your thoughts in the comments!