Certificates serve to authenticate servers and devices to each other, in order to establish a safe connection between them. They may contain a key, with which the encryption of data to be transmitted is made possible. These keys are protected by a password, which is also stored in the certificate. The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it can use either the corresponding root certificate or the key of the server certificate.
Groups of certificates
- Certificates purchased from a public certification authority (e. g. Symantec oder Comodo)
- Self generated certificates (Use for Cortado Server no longer recommended!):
- from a proprietary certification authority
- from Cortado Server (self signed)
Typs of used certificates
- Root certificate: represents a certification authority (those computers that generate other certificates). Root certificates are only for testing the authenticity of server, user or client certificates.
- Server certificate (SSL): is used by the client to identify the server (here: Cortado server to an end device).
- Client certificates: is used by the server to identify the client (here: of the user or the end device with the Cortado server, depending on the selected mode).
Cortado Server websites
- User Portal→ https:///up
- Administration portal→ https:///fw
- Web app→ https:///cortadoworkplace/
Encryption end device (browser) and server
Next illus. shows how the browser of an end device requests an https page – in order, for example, to reach the User Portal in Cortado Server – and also shows how the Cortado server responds by sending its certificate to initiate an SSL-encrypted connection.
The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it must use the corresponding root certificate. If neither of these is located on the device (or if the specified server address does not match that written on the certificate), the user receives an error message. This could be worded as follows:
“Your connection is not private” (Google Chrome)
Officially-issued root certificates are usually already present on the devices.
Encryption between the Cortado app (end device) and server
An SSL-encrypted connection is also established between the Cortado app on the end device and the Cortado server. This connection enables secure communication via https including user name and password queries. For this, the root certificate is also used. This mode is always enabled.
Client certificates (optional)Additionally, to further increase security, client certificates can also be used (see section Establishing client certificates (optional)). When using client certificates the identity of the end device is ensured additionally by a certificate that is already known to the server.
- Identification of the server by the end device with the server certificate (including query user name/password)
- additional authentication with client certificate:
- a global certificate for all devices of all users
- one certificate per user (= for all devices of a user)
- one certificate per device
- If you would already like to test the client certificates in the DMZ, proceed as described in the section Install proxy server.