Skip navigation
Documentation

Trusted Endpoints - Manual Certificate Deployment

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of a Duo device certificate on that endpoint. You can monitor access to your applications from devices with and without the Duo certificate, and optionally block access from devices without the Duo certificate.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate to your managed devices. This guide walks you through manually importing the Duo device certificate package on Windows and macOS systems.

Once a client authenticates to Duo with this certificate, it becomes associated with that particular endpoint. Therefore, you'll need to repeat the process of downloading and installing a unique Duo certificate from the Duo Admin Panel for each individual system.

Duo's trusted endpoints certificate check works in Google Chrome, Apple Safari, and Internet Explorer browsers.

Prerequisites

  • Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative roles.

Create the Manual Enrollment Integration

  1. Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.
  2. If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.
  3. On the "Select Management Tools Integration" page, locate Manual Enrollment in the listed integrations and click the Select this integration link to the right.

The new Manual Enrollment integration is created in the "Off" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

Chrome OS Clients

Download the Duo Certificate

  1. Click the Chrome OS (Chromebook) platform to open the certificate download form.

  2. Enter and confirm an eight character password in Password fields of the Manual Enrollment page's "Download Certificate" section, and then click the Save & Download Certificate button.

    Certificate Download from Duo Admin Panel

  3. The Duo device authentication certificate downloads as a PKCS#12 (.p12) file. Remember, this certificate can only be used to identify one system. Return to this same manual management page in the Admin Panel to download certificates for additional systems.

Import the Certificate

The certificate import steps should be run under the context of the workstation user, not as an administrator.

  1. Copy the downloaded .p12 file to the trusted Chrome OS client.

  2. Open the Chrome Settings page by navigating to chrome://settings in the address bar. Once on the Settings page, scroll to the bottom and click Show advanced settings.

  3. Click the Manage certificates button under "HTTPS/SSL".

  4. While on the "Your Certificates" tab, click the Import and Bind to Device... button and browse to the downloaded .p12 certificate file. Click Open.

  5. Enter the password set for the file in the Duo Admin Panel when prompted and click OK. The "Your Certificates" tab now lists the "Duo Device Authentication" certificate. Click Done.

    Chrome Certificate Manager

  6. Chrome for Business and Google Apps admins should apply a Chrome policy that selects the Duo device certificate automatically during authentication. Without this, the browser asks the user to select a certificate manually before displaying the Duo authentication prompt.

    To do this, go to the Chrome management page in the Google Admin console and clock User settings for your organization.

    Locate the policy setting AutoSelectCertificateForUrls and set it to the following:

    {"pattern": "https://[*.]duosecurity.com", "filter": {}}

    See Set Chrome policies for users help for more information.

Linux Clients

Download the Duo Certificate

  1. Click the Linux platform to open the certificate download form.

  2. Enter and confirm a password of at least eight characters in the Password fields of the Manual Enrollment page's "Download Certificate" section, and then click the Save & Download Certificate button.

    Certificate Download from Duo Admin Panel

  3. The Duo device authentication certificate downloads as a PKCS#12 (.p12) file. Remember, this certificate can only be used to identify one system. Return to this same manual management page in the Admin Panel to download certificates for additional systems.

Import the Certificate

The certificate import steps should be run under the context of the workstation user, not as an administrator.

  1. Copy the downloaded .p12 file to the trusted Linux workstation.

  2. Launch the Google Chrome browser and open the Settings page by navigating to chrome://settings in the address bar. Once on the Settings page, scroll to the bottom and cline Show advanced settings.

  3. Click the Manage certificates button under "HTTPS/SSL".

  4. While on the "Your Certificates" tab, click the Import and Bind to Device... button and browse to the downloaded .p12 certificate file. Click Open.

  5. Enter the password set for the file in the Duo Admin Panel when prompted and click OK. The "Your Certificates" tab now lists the "Duo Device Authentication" certificate. Click Done.

    Chrome Certificate Manager

  6. Chrome for Business and Google Apps admins should apply a Chrome policy that selects the Duo device certificate automatically during authentication. Without this, the browser asks the user to select a certificate manually before displaying the Duo authentication prompt.

    To do this, go to the Chrome management page in the Google Admin console and clock User settings for your organization.

    Locate the policy setting AutoSelectCertificateForUrls and set it to the following:

    {"pattern": "https://[*.]duosecurity.com", "filter": {}}

    See Set Chrome policies for users help for more information.

    This policy setting may also be configured on the Linux workstation by editing (or creating) /etc/opt/chrome/policies/managed/policy.json to add the same pattern string.

Windows Clients

Download the Duo Certificate

  1. Click the Windows platform to open the certificate download form.

  2. Enter and confirm an eight character password in Password fields of the Manual Enrollment page's "Download Certificate" section, and then click the Save & Download Certificate button.

    Certificate Download from Duo Admin Panel

  3. The Duo device authentication certificate downloads as a PKCS#12 (.p12) file. Remember, this certificate can only be used to identify one system. Return to this same manual management page in the Admin Panel to download certificates for additional systems.

Import the Certificate

The certificate import steps should be run under the context of the workstation user, not as an administrator.

  1. Copy the downloaded .p12 file to the trusted Windows workstation.

  2. Double-click the .p12 file to launch the Windows Certificate Import Wizard. Leave the Current User store location selected on the first screen of the wizard, and click Next.

    Windows Certificate Import Wizard - Step 1

  3. The full path to the certificate file is already present. Click Next.

    Windows Certificate Import Wizard - Step 2

  4. Enter the password set for the file in the Duo Admin Panel and select the Include all extended properties option. Click Next.

    Windows Certificate Import Wizard - Step 3

  5. Leave the Automatically select the certificate store based on the type of certificate option selected and click Next.

    Windows Certificate Import Wizard - Step 4

  6. Click Finish to complete the import process. If you receive a security warning asking if you want to import the "Duo Endpoint Validation Root CA 1" certificate, click Yes.

    Windows Certificate Import Warning

  7. After a successful import, verify the Duo certificate. Launch a Windows command prompt and type in this command:

    certmgr.msc
  8. Expand Certificates - Current User\Personal\Certificates. Look for the Duo Device Authentication certificate in the list.

    Windows Certificate Verification

  9. Delete the .p12 certificate file when finished since it can't be used to identify another device.

  10. Configure Internet Explorer so that it selects the Duo device certificate automatically during authentication. Without this, the browser asks the user to select a certificate manually before displaying the Duo authentication prompt.

    To do this, open a command prompt window and type in these commands:

    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v 1A04 /t REG_DWORD /d 00000000 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v 1A04 /t REG_DWORD /d 00000000 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1A04 /t REG_DWORD /d 00000000 /f
  11. Configure Google Chrome to automatically select the Duo device certificate during authentication without displaying a prompt to the user as well. If Chrome is installed on the client, please refer to the Local Policy for Chrome Devices guide.

iOS Clients

Download the Duo Certificate

  1. Click the iOS platform to open the certificate download form.

  2. Enter and confirm an eight character password in Password fields of the Manual Enrollment page's "Download Certificate" section, and then click the Save & Download Certificate button.

    Certificate Download from Duo Admin Panel

  3. The Duo device authentication certificate downloads as a PKCS#12 (.p12) file. Remember, this certificate can only be used to identify one user endpoint. Return to this same manual management page in the Admin Panel to download certificates for additional systems.

Import the Certificate

The certificate import steps should be run under the context of the workstation user, not as an administrator.

  1. Email or AirDrop the downloaded .p12 certificate file to the trusted iOS device and tap the file to open the "Install Profile" screen.

  2. Tap Install on the top right side of the "Install Profile" screen.

  3. If the iOS device has passcode protection you'll need to enter the code to continue.

  4. If you receive a warning stating that "The profile is not signed" then tap Install again to continue.

  5. Enter the password set for the certificate file in the Duo Admin Panel when prompted and tap Next.

  6. After verifying the password iOS installs the new certificate profile. Tap Done.

Verify the Certificate

To confirm that the Duo certificate profile was created, go to the Settings and tap GeneralProfiles & Device Management. The Duo Device Authentication profile contains the imported certificate.

Duo iOS Certificate Verification

macOS Clients

Deploy the Duo Certificate

  1. Click the Mac OS X platform, and then click to download Mac OS X Manual Enrollment Script.py. The actual name of the downloaded Python script will be similar to duo_cert_enrollment-2.0.py.

  2. Copy the downloaded script to the trusted Mac OS client.

  3. Launch the Terminal app and change directory (cd directory-path) to the location where you copied the downloaded enrollment script.

    For example, if you copied the Duo script to the "Documents" folder in your home directory, type this command to switch to that directory:

    cd ~/Documents
  4. Use sudo to run the script using Python. Enter your sudo password when prompted.

    sudo /usr/bin/python duo_cert_enrollment-2.0.py

    This script enrolls the Mac OS client as a Duo trusted endpoint by obtaining a device certificate from Duo, and also configures Safari and Chrome (if present) to automatically select the Duo certificate during authentication.

  5. IMPORTANT! Make sure to delete the Duo script from that Mac OS client when done. If your end user has access to the script they could run it on other devices to obtain Duo certificates for those endpoints without your knowledge.

Verify the Certificate

To confirm that the Duo enrollment script worked, launch the Mac OS Keychain Access application and make sure the Duo Device Authentication certificate exists in the "duo-auth" keychain.

Duo macOS Certificate Verification

Finish Trusted Endpoints Deployment

Once you've installed the Duo certificate on your endpoints you can configure the Trusted Endpoints policy to start checking for the certificate as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Manual Enrollment trusted endpoint management integration in the Admin Panel and turn it On with the Off/On setting at the top of the page.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices have the Duo certificate present.

As more of your devices receive the Duo certificate you can adjust your trusted endpoints policy to expand the target group, apply it to additional protected services, or start blocking access to applications from devices that do not have the Duo certificate. See the Trusted Endpoints documentation for more information.

Removing the Manual Enrollment Management Integration

Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Manual Enrollment integration from "Trusted Endpoints Configuration".

Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free