Cortado Mobile Solutions

My Tickets
Welcome
Login

Certificate-based authentication

Overview

Encryption end device (browser) and server

Encryption between the Cortado app (end device) and server

Overview

Certificates serve to authenticate servers and devices to each other, in order to estab­lish a safe connection between them. They may contain a key, with which the encryp­tion of data to be transmitted is made possible. These keys are protected by a pass­word, which is also stored in the certificate. The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it can use either the corresponding root certificate or the key of the server certificate.

Groups of certificates

  • Certificates purchased from a public certification authority (e. g. Symantec oder Comodo)
  •  Self generated certificates:
    • from a proprietary certification authority
    • from Cortado Server (self signed)

Typs of used certificates

  • Root certifikate: represents a certification authority (those computers that gen­erate other certificates). Root certificates are only for testing the authenticity of server, user or client certificates.
  • Server certifikate (SSL): is used by the client to identify the server (here: Cortado server to an end device).
  • Client certificates: is used by the server to identify the client (here: of the user or the end device with the Cortado server, depending on the selected mode).

Cor­tado Server websites

  • User Self Service Portal→ https:///up
  • Management console→ https:///fw
  • Web app→ https:///cortadoworkplace/

Encryption end device (browser) and server


Next illus. shows how the browser of an end device requests an https page – in order, for example, to reach the User Self Service Portal in Cortado Server – and also shows how the Cortado server responds by sending its certificate to initiate an SSL-encrypted connection.
Example of the use of a server certificate

Example of the use of a server certificate


The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it must use the corresponding root certificate. If neither of these is located on the device (or if the specified server address does not match that written on the certificate), the user receives an error message. This could be worded as follows:
“Your connection is not private” (Google Chrome)
You or the users can simply confirm the insecure connection.
In order to avoid these certificate errors and to ensure a secure connection, Cortado Server ensures the root certificate is downloaded by the users themselves with the First Steps Wizard in the User Self Service Portal.
User Self Service Portal: Downloading the root certificate in the First Steps Wizard (example for Apple iOS)

User Self Service Portal: Downloading the root certificate in the First Steps Wizard (example for Apple


The same applies to the use of the web app in a browser. The root certificate can also be downloaded here to the respective device. Downloading the root certificate to the end device is necessary especially when using self-signed certificates. Officially-issued root certificates are usually already present on the devices.

Encryption between the Cortado app (end device) and server

Root certificate


An SSL-encrypted connection is also established between the Cortado app on the end device and the Cortado server. This connection enables secure communication via https including user name and password queries. For this, the root certificate is also used. This mode is always enabled.
Example of the use of a server certificate

Example of the use of a server certificate

Client certificates (optional)


Additionally, to further increase security, client certificates can also be used (see section Establishing client certificates (optional)). When using client certificates the identity of the end device is ensured additionally by a certificate that is already known to the server.
Example of the setup for a client certificate

Example of the setup for a client certificate

  • Identification of the server by the end device with the server certificate (includ­ing query user name/password)
  • additional authentication with client certificate:
    • a global certificate for all devices of all users
    • one certificate per user (= for all devices of a user)
    • one certificate per device

  • If you would already like to test the client certificates in the DMZ, proceed as described in the section Install proxy server.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.