62524: Acronis Backup 12.5: Certificate check during installation

use Google Translate

Applies to: 

Description

Starting from Update 4 (Build 12730) all communication during a device registration is done via HTTPS. It works out of the box and cannot be disabled.

By default the traffic is encrypted using a self-signed certificate on the Management Server. The certificate is not validated so you can't verify that the Management Server you're registering to is not a spoofed management server that could be used to control your agent. However, this setup is fine for the majority of environments that exist in a local network.

It is possible to enforce certificate verification during unattended installation in Windows and in Linux: you can specify the necessary parameters for installation. These mutually exclusive parameters define the method of the management server certificate check during the registration. Check the certificate if you want to verify the authenticity of the management server to prevent MITM attacks.

If the value is 1, the verification uses the system CA or the CA bundle delivered with the product, or the pinned public key if it specified. If the value is 0 or the parameters are not specified, the certificate verification is not performed, but the registration traffic remains encrypted.

REGISTRATION_CA_SYSTEM={0,1}|REGISTRATION_CA_BUNDLE={0,1}|REGISTRATION_PINNED_PUBLIC_KEY={public key value}

  • If you have replaced the default certificate with a signed one, use REGISTRATION_CA_SYSTEM={0,1} parameter
  • If you do not have a CA signed key but need to verify the authenticity of the Management Server, use the REGISTRATION_PINNED_PUBLIC_KEY={public key value} parameter. Verification will use the specified public key.
  • In case you have a valid certificate, but verification with REGISTRATION_CA_SYSTEM does not work, most likely the CA used on the Management Server is too new for verifying older agents such as Windows XP. In this case use REGISTRATION_CA_BUNDLE={0,1} parameter 

 

Tags: