Certificates serve to authenticate servers and devices to each other, in order to establish a safe connection between them. They may contain a key, with which the encryption of data to be transmitted is made possible. These keys are protected by a password, which is also stored in the certificate. The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it can use either the corresponding root certificate or the key of the server certificate.
Groups of certificates
- Certificates purchased from a public certification authority (e. g. Symantec oder Comodo)
- Self generated certificates:
- from a proprietary certification authority
- from Cortado Server (self signed)
Typs of used certificates
- Root certifikate: represents a certification authority (those computers that generate other certificates). Root certificates are only for testing the authenticity of server, user or client certificates.
- Server certifikate (SSL): is used by the client to identify the server (here: Cortado server to an end device).
- Client certificates: is used by the server to identify the client (here: of the user or the end device with the Cortado server, depending on the selected mode).
Cortado Server websites
- User Self Service Portal→ https:///up
- Management console→ https:///fw
- Web app→ https:///cortadoworkplace/
Encryption end device (browser) and server
Next illus. shows how the browser of an end device requests an https page – in order, for example, to reach the User Self Service Portal in Cortado Server – and also shows how the Cortado server responds by sending its certificate to initiate an SSL-encrypted connection.
The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it must use the corresponding root certificate. If neither of these is located on the device (or if the specified server address does not match that written on the certificate), the user receives an error message. This could be worded as follows:
“Your connection is not private” (Google Chrome)
You or the users can simply confirm the insecure connection.
In order to avoid these certificate errors and to ensure a secure connection, Cortado Server ensures the root certificate is downloaded by the users themselves with the First Steps Wizard in the User Self Service Portal.
The same applies to the use of the web app in a browser. The root certificate can also be downloaded here to the respective device. Downloading the root certificate to the end device is necessary especially when using self-signed certificates. Officially-issued root certificates are usually already present on the devices.
Encryption between the Cortado app (end device) and server
An SSL-encrypted connection is also established between the Cortado app on the end device and the Cortado server. This connection enables secure communication via https including user name and password queries. For this, the root certificate is also used. This mode is always enabled.
Client certificates (optional)
Additionally, to further increase security, client certificates can also be used (see section Establishing client certificates (optional)). When using client certificates the identity of the end device is ensured additionally by a certificate that is already known to the server.
- Identification of the server by the end device with the server certificate (including query user name/password)
- additional authentication with client certificate:
- a global certificate for all devices of all users
- one certificate per user (= for all devices of a user)
- one certificate per device
If you would already like to test the client certificates in the DMZ, proceed as described in the section Install proxy server.