Guides
Secure Access Help Center

Enroll Devices in Zero Trust Access Using Certificates

Use this procedure to enroll Windows and macOS computers in Zero Trust Access (ZTA) without requiring any action or awareness from users.

For feature details, see Choose Zero Trust Access Enrollment Methods for Your Organization.

Table of Contents

Prerequisites

  • On user devices:
    • Minimum device operating system version:
      • Windows 10
      • macOS version 11
      • Windows devices must support Trusted Platform Module (TPM) 2.0
      • Mac devices must support Secure Enclave
    • Cisco Secure Client must be installed on user endpoint devices. The Zero Trust Access module is integrated into the Cisco Secure Client.
    • Each device must have an identity certificate signed by your corporate certificate signing authority (CA).
      The identity certificate must be tied to a specific user, not to the device, so:
      • The certificate Subject Alternative Name (SAN) must include the user's RFC 822-compliant email address, or the User Principal Name (UPN) field must include the username.
      • The ZTA Client will evaluate certificates with an Issuer Common Name that matches any of the CA certificates enabled in the ZTA enrollment dashboard. If multiple identity certificates share the same Common Name, the client will select the first matching certificate.
      • The identity certificate must be installed in the machine or user-specific keystore on each device.
        • On Windows: C:\ProgramData\Cisco\Cisco Secure Client\ZTA\enrollment_choices
        • On macOS: /opt/cisco/secureclient/zta/enrollment_choices

Step 1 - Enable certificate-based enrollment for your organization

By default, certificate-based enrollment is not enabled. To enable it, see Choose Zero Trust Access Enrollment Methods for Your Organization.

Step 2 - Upload or choose a CA certificate

User endpoint devices present an identity certificate when enrolling and renewing enrollment.

Secure Access must hold the certificate that verifies these user identity certificates.

You can upload a new certificate or choose an already-uploaded certificate. Zero Trust Access enrollment can use the same certificate that validates identity certificates for VPN connections, or use a different certificate for zero trust enrollment. You must specify the purpose or purposes of each certificate during upload. You can modify the purpose later. Uploads must include the intermediate certificates required to complete the chain of trust.

To upload the certificate:

  1. Navigate to a page where you can upload CA certificates for enrollment.
    You can upload CA certificates for this purpose from either of two places in Secure Access. The result is identical.
    1. Option 1: Upload certificates to the Enrollment Methods page, which also includes the link to download the new configuration file that is generated after you upload a CA certificate.
      1. Navigate to Connect > End User Connectivity.
      2. Click the Zero Trust Access tab.
      3. In the Enrollment Methods section, click Manage.
      4. Click Upload a CA Certificate.
      5. Complete the form as described in Manage CA Certificates for VPN Connections and Zero Trust Access Enrollment.
    2. Option 2: Upload certificates to the client authentication certificates page:
      See Manage CA Certificates for VPN Connections and Zero Trust Access Enrollment.

Step 3 - Download the enrollment configuration file

Before you download the configuration file, you must upload the CA certificate that validates the identity certificate that a device presents at enrollment and renewal. Each time a CA certificate is uploaded for ZTA enrollment purposes, the ZTA enrollment configuration file is regenerated. The configuration file includes information about all CA certificates that have been uploaded and designated for ZTA enrollment.

You can download the configuration file from either of two locations:

  • Navigate to Connect > End User Connectivity, click the Zero Trust Access or Virtual Private Network tab, then click the Cisco Secure Client button.
    or
  • Navigate to Connect > End User Connectivity, click the Zero Trust Access tab. In the Enrollment Methods section, click Manage. Download the file from the Use Certificates section.

The configuration file name is orgID_ZTA_Enroll_Cert.json.

Step 4 - Install the enrollment configuration file on user devices

In order to prevent tampering, this configuration file is installed in a directory that requires Administrator access, and the file is signed. Do not attempt to modify it.

Install the configuration file on each user device in the following location:

  • On Windows devices: C:\ProgramData\Cisco\Cisco Secure Client\ZTA\enrollment_choices
  • On macOS devices: /opt/cisco/secureclient/zta/enrollment_choices

If a CA certificate expires or is replaced, deleted, or revoked, you must distribute a new configuration file to authorized devices, with information about the replacement CA certificate.

You can change the file name, but make sure there is only one ZTA enrollment configuration file on the device.

Step 5 - Enrollment occurs

Enrollment occurs as soon as the user signs into the device after all the above prerequisites and steps are complete.

Switch from SAML-based enrollment to Certificate-based enrollment

Install a certificate-based enrollment configuration file on the device. This automatically disables SAML-based enrollment for that device.

Choose Zero Trust Access Enrollment Methods for Your Organization > Enroll Devices in Zero Trust Access Using Certificates > Enroll Devices in Zero Trust Access Using SSO Authentication

Updated about 10 hours ago