Configuring a mTLS destination

To configure a destination by using mutual TLS authentication (mTLS), select the mTLS protocol from the drop-down list in the add destination wizard.

Procedure

Follow the steps to Adding a destination.
From the Protocol list, select mTLS.

Enter the following required information:

Option	Description
TLS truststore source	This option determines which certificates are used to authenticate the server when WinCollect initiates a TLS connection. See Configuring a TLS destination by using the Windows certificate stores for steps to configure this setting.
Hostname validation	Select whether the client verifies that the server’s hostname matches either the Common Name or Subject Alternative Names in the incoming server certificate before a connection is made. Important: It is recommended to leave this option enabled to ensure that the provided certificate belongs to the server. Disabling it enables the client to accept incoming certificates that do not belong to the server.

Option

Description

TLS truststore source

This option determines which certificates are used to authenticate the server when WinCollect initiates a TLS connection. See Configuring a TLS destination by using the Windows certificate stores for steps to configure this setting.

Hostname validation

Select whether the client verifies that the server’s hostname matches either the Common Name or Subject Alternative Names in the incoming server certificate before a connection is made.

Important: It is recommended to leave this option enabled to ensure that the provided certificate belongs to the server. Disabling it enables the client to accept incoming certificates that do not belong to the server.

Select a Client Certificate Source.

This option determines which type of certificate is used to configure the mTLS connection. Your selection determines which fields are required.

Select Certificate and key to use a client certificate file, an encrypted private key file, and a passphrase. The following fields are required for this option.

mTLS client certificate	Use an "@" followed by the file path to a PEM format file. The file must contain one or more certificates to use for client authentication when WinCollect initiates a TLS connection to the server. You can use a single certificate or a chain of certificates.
mTLS client private key	Use an "@" followed by the file path to a PEM format file. The file must contain the private key that is used to generate the client certificate. You must use an RSA or ECC key that is encrypted with a passphrase.
mTLS passphrase	Enter the passphrase used to encrypt the mTLS client private key.

mTLS client certificate

Use an "@" followed by the file path to a PEM format file. The file must contain one or more certificates to use for client authentication when WinCollect initiates a TLS connection to the server. You can use a single certificate or a chain of certificates.

mTLS client private key

Use an "@" followed by the file path to a PEM format file. The file must contain the private key that is used to generate the client certificate.

You must use an RSA or ECC key that is encrypted with a passphrase.

mTLS passphrase

Enter the passphrase used to encrypt the mTLS client private key.

Select PKCS#12 file to use a PKCS#12 (PFX) format file that contains a certificate and private key. You must also provide the passphrase to decrypt the PKCS#12 file.

mTLS client certificate and key pair	Use an "@" followed by the file path to a PKCS#12 (PFX) format file. The file must contain the certificate to use for client authentication when WinCollect initiates a TLS connection to the server, and the associated private key. You can use a single certificate or a chain of certificates. Note: Only one pair of private key and associated certificate can be contained in the file. If multiple pairs are present, only the first pair that is found is used. If more certificates are contained in the file, they are included as a certificate chain.
mTLS passphrase	Enter the passphrase used to encrypt the PKCS#12 file. Because the PKCS#12 file must be encrypted with a passphrase, this field is required.

mTLS client certificate and key pair

Use an "@" followed by the file path to a PKCS#12 (PFX) format file. The file must contain the certificate to use for client authentication when WinCollect initiates a TLS connection to the server, and the associated private key. You can use a single certificate or a chain of certificates.

Note: Only one pair of private key and associated certificate can be contained in the file. If multiple pairs are present, only the first pair that is found is used. If more certificates are contained in the file, they are included as a certificate chain.

mTLS passphrase

Enter the passphrase used to encrypt the PKCS#12 file. Because the PKCS#12 file must be encrypted with a passphrase, this field is required.

Select Windows certificate store to use a certificate and associated private key that is installed in a Windows certificate store on the local machine. The certificate must have a corresponding private key that is installed with it (for example, by installing it as a .p12 file), and the private key must be set as Exportable when you install it.

mTLS client certificate store	This is the certificate store to search for the client certificate in. This certificate store must be available to the local machine. Any stores available only to a certain user are not checked. Note: The certificate store name that is shown in the Windows certificate management console might be an alias for the real certificate store name. You can generally find the real certificate store names by using PowerShell (`ls Cert:\LocalMachine\`).
mTLS client certificate identifier	The method the client certificate will be identified in the Windows certificate store. The options are either friendly name or thumbprint. The friendly name option is the default.
mTLS client certificate friendly name	The value set as the friendly name on the certificate in the Windows certificate store.
mTLS client certificate thumbprint	This is the thumbprint, or `SHA1` hash of the certificate to be used. You can find this value in the Details of your certificate in the Windows certificate management console.

Click Save.
The WinCollect agent attempts to connect to the destination by using TLS with mutual authentication.
Note: To ensure that client certificates provided for connecting with mTLS are valid, a message is logged when a client certificate is expiring soon. This check is performed when a Destination first connects and is logged as an INFO message. Also, a WARN message is logged daily for each client certificate that is expiring soon. You can configure the amount of time that is left until a certificate expires that triggers these warnings by updating the Certificate expiry warning threshold parameter in the Advanced UI. The default threshold is 30 days.