Evaluate Root Certificates on User Machines

Written by Cassa Niedringhaus on June 28, 2020

Share This Article

System telemetry can help you to assess user machine health, identify potential vulnerabilities, evaluate root certificates, and act accordingly. In this post, we’ll examine why you should audit root certificates and how to undertake a comprehensive fleet audit from the cloud.

Why Audit Root Certificates

A root certificate is issued by a root certificate authority (CA), and subsequent certificates inherit trust from it. Although Microsoft® and Apple® both operate initiatives to identify trusted root certificates, risky or malicious certificates can still be installed on your users’ machines.

RSA FirstWatch identified, for example, that the driver packages of certain audio streaming controllers silently installed root certificates on the target machines — and those root certificates could be used to generate an unlimited number of additional signed certificates. Hackers can then use the ability to install root certificates and install their own malicious certificates, and systems and applications trust certificates installed in the root. 

They can then use those malicious certificates to intercept communications, bypass code signing, or take other actions. Hackers can also purchase valid certificates to sign malware. Certificate authorities seek to revoke malicious certificates, but you will likely still need tools to monitor your fleet for certificates that haven’t yet been revoked and other anomalies. 

How to View Installed Root Certificates: macOS & Windows

Ideally, you can achieve heterogeneous system management and monitoring from one platform — both for the sake of your budget and to gain centralized control. That’s why JumpCloud® has built a premium telemetry feature, System Insights™, to report on all managed systems in an organization’s directory, whether they’re macOS®, Windows®, or Linux® machines.

With Directory-as-a-Service®, you can manage, configure, and monitor your systems from a web-based Admin Portal, including generating reports about each macOS and Windows machine’s installed certificates. In JumpCloud’s Admin Portal GUI, you can select a system and view or export to a CSV a list of all the certificates installed in Keychains or CA bundles, as well as their expiration dates. 

You can pull more detailed information about certificates from the API endpoint — /systeminsights/certificates. You can use various attributes, such as the CA and whether a certificate is self-signed, to begin to sort through certificates. The certificate’s serial number can be another helpful data point. 

Want to see System Insights in action? Here’s a two-minute demo:

Other Available System Data Points

With System Insights enabled, you can pull countless other hardware, software, and network data points from the GUI and the API for machines in your fleet. This information can help you increase security, troubleshoot, and compile necessary compliance audit logs. Other system data points include: 

  • OS version & installed patches
  • Installed applications & browser extensions
  • Memory, storage, & CPU
  • Network connections

Learn More About Cross-Platform System Telemetry 

Interested in learning more about System Insights? Read our case study with PayWith, a mobile application development firm, to learn more about using System Insights to track user machines. You can also give System Insights a try today — your first 10 users and systems are free forever. 

Cassa Niedringhaus

Cassa is a product marketing specialist at JumpCloud with a degree in Magazine Writing from the University of Missouri. When she’s not at work, she likes to hike, ski and read.

Continue Learning with our Newsletter