Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Schedule a demo
Get started - it's free!
Log in
© 2026

Device certificate verification

Last validated:

Device certificate verification is currently in private alpha. Therefore, this topic is currently hidden.
Device certificate verification is available for the Enterprise plan.

Devices are authenticated to your Tailscale network (known as a tailnet) using single sign-on (SSO) for end-user devices and auth keys for servers or other devices that are not associated to a user. Additionally, organizations can use their own public key infrastructure (PKI) to implement device certificate verification to ensure that only authorized and company-managed devices can join the tailnet.

How it works

When a tailnet is configured for device certificate verification, devices that are not pre-approved must pass device certificate verification before they're allowed to join the tailnet, or they must be manually approved.

Set up device certificate verification

To successfully use device certificate verification, your clients must be configured with your organization's device certificates and your tailnet must be configured to verify with one or more root certificate authority (CA) certificates.

  1. Configure clients.
  2. Enable device approval for your tailnet.
  3. Enable device certificate verification.

Configure clients

Clients must be configured to use a device certificate:

  1. Ensure client devices have an X.509 certificate installed in their system certificate store.
  2. Set the MachineCertificateSubject system policy on clients to match the installed certificate.
    • The value must be the exact value of the Subject field of the certificate, or of any intermediate CA or root CA in its chain. For example, CN=ExampleCorp Test Root CA,OU=ExampleCorp Test Certificate Authority,O=ExampleCorp,ST=ON,C=CA.
    • You must restart the Tailscale service (tailscaled, not the GUI application) on clients to pick up changes to the MachineCertificateSubject system policy.

Configure device certificate verification

Enable device approval for your tailnet

Device approval must be enabled for device certificate verification to occur.

  1. Enable device approval from the Device management page of the admin console.

Enable device certificate verification

Enable device certificate verification by defining the pool of root certificates used for device certificate verification. Device certificates will pass verification only if they are signed (directly or indirectly) by one of the root certificates in this pool.

  1. Set the pool of root certificates in the Device management page of the admin console. The value must be a PEM-encoded list of one or more certificates.
  2. Enable Allow auto-approval so that devices are automatically approved when certificate verification is successful.

Limitations

  • Device certificate verification occurs at the initial device approval stage. Certificates are not re-verified at this time.
  • Device certificate verification is only supported on Windows at this time.
  • You must restart the Tailscale service (tailscaled, not the GUI application) on clients to pick up changes to the MachineCertificateSubject system policy.