This guide will show how to force read-only access of your SafeConsole devices to only your trusted computers using certificates. This feature requires 4.8.25 device client software or greater. A video walkthrough is available with text instructions below. 



Install OpenSSL on a workstation. We recommend this package for windows. After installation, copy the openssl.exe file from the GnuWin32\bin folder and the openssl.cnf from GnuWin32\share into a working folder such as your desktop. Then open a command prompt. 


a_gz677vBdfxzFqM80oLwblgR48cJGCBXg.png


1. Obtain a CA certificate


 If you do not have one, one can be generated by first creating a private key.  

openssl genrsa -out ca.key 2048

  

Then we create a new certificate using the key we just generated with the following command. Provide your relevant information when asked. The Common Name will be what is shown in SafeConsole.  

openssl req -new -x509 -sha256 -config openssl.cnf -days 3650 -key ca.key -out ca.crt

  

2. Generate client certificates using your CA certificate.


Enter these commands one line at a time to generate a new client certificate using your CA certificate. Provide all relevant information such as company name etc when asked. It is adviseable to use a descriptive subject, such as: secret-office-zone.organization.org The last two lines will sign the client certificate and convert to a PKCS#12 format. You will be prompted for a password. This password will be to install the certificate on the client computer and will not need to be entered each time it is used. 

openssl genrsa -out client.key 2048
openssl req -new -sha256 -config openssl.cnf -key client.key -out client.csr
openssl x509 -req -sha256 -days 1826 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -chain -CAfile ca.crt

 

3. Install the client ZoneRestrictor certificates on client machines


Start with the machine where you will initialize the devices. This requires a connection to SafeConsole. Devices that have been initialized can be unlocked on offline machines that have the same certificate present, but they must be initialized on a SafeConsole connected machine:

  • Copy the client.p12 file to that machine and run it. 
  • Accept the prompts in the import wizard.
  • Remove the client.p12 file from this machine to prevent further unauthorized distribution of the certificate
  • Repeat the steps on all machines and user accounts where you want to allow the device to be used. 


4. Enable write protection

  • Login to SafeConsole with an Admin account.
  • Go to Policies tab.
  • Choose the Domain/OU for the users you want to manage.
  • Select Restrictions
  • Check Enable Write Protection on devices.
  • On the drop down select "Activated when outside your Trusted Zone"

5NAxyR-FBd-GwKSfdq3DqR9ojClnbL4WLg.png


5. Configure ZoneBuilder Policy in SafeConsole.

  • Go to Policies tab.
  • Choose the Domain/OU for the users you want to manage.
  • Click ZoneBuilder Then Enable ZoneBuilder
  • Select View Certificates. 
  • Add your new certificate. 
  • Then Select your CA certificate from the dropdown menu. Enter the CA password if required


j9G1aW8louJq5R_pgC8nKWuyXebZPIlA1w.png


This now restricts devices outside the Trusted Zone, which in this case is any clients without the client certificate installed, to be read only.