MED-V v1: How to Configure MED-V Client-Side SSL
For MED-V v1, Client-side TLS/SSL security is an optional configuration which can be set to ensure only legitimate clients connect to the server. This will take security one-step further than the traditional server-based TLS/SSL.
To configure client-side SSL on the server:
1.) Verify SSL is enabled on the server (refer to Configuring Server Settings (on page 15)).
2.) Verify that the CA that issued the client certificate is in the Trusted Root Certificate Authorities of the Local Computer certificate store of the server.
3.) In the ServerSettings.xml file (located in the server installation\Servers directory), configure the following:
Set <RequireClientCertificate> to true.
4.) If you would like to verify the certificate thumbprint on the client:
In the <ClientCertificateThumbprint> tag, add the thumbprint so that the server will only accept client certificates with the specified thumbprint and a valid certificate chain. If the line is missing or blank, the server will accept all client certificates whose chain is valid.
Note: Verifying the certificate thumbprint on the client is only relevant if the administrator distributes one certificate to all clients.
5.) Restart the MED-V Servers service.
To configure client-side SSL on the client:
1.) Create a client certificate from the trusted CA and install it in the client’s Local Computer certificate store (refer to Configuring a Certificate for details).
2.) Verify that the CA that issued the client certificate is in the Trusted Root Certificate Authorities of the Local Computer certificate store of the client.
3.) In the ProfileInfo.xml file (located in the MED-V Client Installation\Management\Profile directory), copy and paste the thumbprint into the <ClientCertificateThumbprint> tag.
Note: Once the server side XML has been configured with the certificate attribute, this attribute is automatically added to the client side XML when creating a MED-V package.
Note: It is recommended to provide access permissions to the client certificate for Everyone.
On XP – use the WinHttpCertCfg.exe tool which can be downloaded from the Microsoft http://msdn2.microsoft.com/en-us/library/aa384088.aspx website.
On Vista or Windows 7 – use the MMC utility.