You can find the options described below in either the Configurations Assistant that you used for the initial configuration of Cortado Server or in the in the Server Certificates tab of the Management Console under Control Panel→ Certfificates im Reiter Server Certificates.
How to configure the Apple Push certificate see section Configure Apple MDM.
The procedure for setting up a client certificate mode is described in the section Establishing client certificates (optional).
Both server and client certificates can be obtained from a public certification authority. This has the advantage that their root certificates are already recognized by all servers and end devices. Thus, there are no certificate errors as described in section Certificate-based authentication.
Regardless of whether the certificates have been purchased, or generated by one’s own certification authority, they can be set up for Cortado Server in two ways:
- with the Configuration Assistant under Certificates→ Browse or
- with the Cortado Management console under Control Panel→ Certificates→ Server Certificates.
Note! The Cortado server can generate server certificates (SSL) for you, if you are using a root certificate that:
– was itself generated by the Cortado server,
– was purchased from an official certification authority
– was created by your own certificate authority.
If a purchased or your own root certificate is used, it must be first imported (including the private key) into the certificate store of the Cortado server.
Generate root certificate
Cortado Server generates a new root certificate automatically, if you:
- select the option Generate new self signed root certificatein Configuration Assistant (see illus.) or
- select the option Generate Root Certificate in the Cortado Management console (see illus.).
Note! All other certificates as well as all .tpm files are recreated automatically if you generate a new root certificate. Afterwards all users must run the First Steps Wizard again to download the new certificate and the new configuration (.tpm file) to the device.
Generate server certificate
Cortado Server automatically generates a new server certificate, when you:
- select the option Generate new self signed server certificate in Configuration Assistant (see illus.) or
- select the option Generate Server Certificate (SSL) in the Cortado Management console (see illus.).
Note! The server certificate which is created here (if necessary) contains the server address which you have specified in the Configuration Assistant’s Cortado server address menu (see illus.). This address is also shown in the Management Console’s Global Settings (see illus.). Make sure that – on the one hand – this address is reachable from the devices and – on the other hand – the users use exactly this address for connections to the User Self Service Portal as well as to the web app. Otherwise certificate errors can occur in the device’s Internet browsers.
Note! When using Android devices from OS 9, please note that the server certificates used must have at least one Subject Alternative Name (SAN). This can also be the same as the Subject Name.
Import root certificate
With importing a root certificate of your company’s certification authority (CA) note that only the following cryptographic providers are supported by Cortado Server. Please take this into account with configuring your company’s CA.
- Microsoft Base Smart Card Crypto Provider
- Microsoft Enhanced Cryptographic Provider v1.0
- Microsoft Base Cryptographic Provider v1.0
- Microsoft Strong Cryptographic Provider
- Microsoft Base DSS Cryptographic Provider v1.0
Export root certificate
In addition, the root certificate can be exported with or without private key using the options Export Root Certificate.
Export certificate with private key
Export the root certificate with a private key in .pfx format.
Note! Only export the private key if you want to create a backup. Never distribute a certificate with a private key to the users.
- Enable the checkbox Export private key (arrow in illus.).
- Click on OK to confirm the warning message.
- Protect the certificate with a password.
- Save the certificate in a secure location.
Export certificate without private key
Export the root certificate without a private key in .cer format.
Click on OK to start downloading the certificate.
- Save the root certificate.
Export server certificate
- Select Export Server Certificate (SSL), to export the server certificate in .pfx format.
- Protect your certificate with a password.
You can now save the server certificate to a secure location.