Cortado Support

My Tickets Visit www.cortado.com
Welcome
Login

Establishing client certificates (optional)

Note! The client certificate mode is no longer available for Cortado Server 11.0.

Create or upload certificates

Distributing certificates

Renew certificates

Create or upload certificates

  • Select in the Management console: Control Panel→ Certifica­tes→ Certificate Mode (left arrow in illus.) and then Change Certificate Mode (right arrow in illus.).

change client certificate mode

Note! If you are using a newer IIS version (IIS 8.0 or later, Windows Server 2012):
When using client certificates, please change the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProvi­ders\SCHANNEL:ClientAuthTrustMode
to 2 (DWORD).

  • You can either create new client certificates (Create Certificate) or use existing ones (Use Certificate).

generating or selecting client certificates

Create Certificate

You can create your own client certificates here, providing the root certificate that you want to use has been self-generated by Cortado server or with its own certification authority. Otherwise, use the Use Certificate. There are three client certificate modes available:

select certificate mode 1 (example)

  • Either one certificate per user (= for all the end devices of a user): For this, select One certificate for each user will be created and click OK. This means certificate mode 1.
  • Or one certificate per end device: For this, select One certificate for each user device will be created and click OK. This means certificate mode 2.
  • Or one global certificate for every end device of all users: For this, select One certificate for all users will be created and click OK. This means certificate mode 3.

You can set your own password for users/devices (Set client certificate password). If no certificate password is specified, the Cortado server automatically generates a password for each user/device. You find the certificate password here: Control Panel→ Users→ Certificates (arrow in illus.). Tell it to the users in person or in a phone call.

Reading the certificate password of a user’s end device under Control Panel→ Users→ Certificates

You can also send it via e-mail (not secure). Email templates for automatic distri­bution are available under Global Settings→ Mail→ E-mail Settings. With the place holder  $ClientCertPwd you can send the password of the client certificate to the user. This place holder can be inserted in each of the three bodies. When sending the e-mail, the corresponding password is entered automatically.

You can view the certificate mode in the certificate overview under Control Panel→ Certificates→ Certificate Mode (arrow in illus.).

Display of the certificate mode (example)

Use Certificate

You can use existing client certificates here, i.e. purchased from an official certifica­tion authority, or self-created by an own certification authority (.pfx files). You have two client certificate modes available.

  • Either one certificate per user (= for all the end devices of a user): For this, select One certificate for each user will be used. Then enter the path to the folder that contains the client certificates. This means certif­icate mode 1.

select certificate mode 1 (example)

  • Or one global certificate for every end device of all users: For this, select One certificate for all users will be used. Then select the path to the client cer­tificate (.pfx file) and enter the certificate password. This means certificate mode 3.

Distributing certificates

The client certificate (with the password-protected private key) is saved in the con­figuration file (.tpm) for the Cortado app.

The users must then:

  1. execute the First Steps Wizard in the User Self Service Portal (because it contains the client certificate).
  2. enter the certificate password (arrow in illus.).

Note! If the Cortado app has already been configured by the user and it is now desired to retrospectively secure it with a client certificate, the user must download a configuration file (Basic Configuration) containing the client certificate in the User Self Service Portals (see also the section Renew certificates).

Certificate password request

Renew certificates

Client certificates are valid for one year and must be renewed accordingly. Depending on whether you’re using certificates generated by the Cortado server or those gener­ated (or purchased) from your own certificate authority, the following steps must be followed:

  • Server-generated certifikates: If you are using certificates generated by the Cortado server (see the section Create certificate) no interaction is required. Shortly before they expire, the certificates will be automatically renewed by the Cortado server. The new client certificates (with the password protected, private key) will then be saved in a newly created configuration file (.tpm). The users will then automatically receive an email with a prompt to down­load the new configuration file in the User Self Service Portal (see the section E-mail Settings).
  • Own user certifica­tes: If you are using client certificates that you created with your own certificate authority, or that you purchased from a CA, you also have to renew their validity shortly before they expire.
    • Place the new client certificates (.pfx files) in the same storage location as the old ones (see the section Use Certificate).
    • To distribute the new certificates to the users, new configuration files (.tpm) must be created. To do so, go to Control Panel→ Certifi­cates→ Certificate Mode→ Renew Configuration Files.
    • Confirm the following warning message.

updating configuration files

  • The new client certificates (with the password protected, private key) are now saved in a newly created configuration file (.tpm). The users then automatically receive an email prompting them to download the new configuration file in the User Self Service Portal (see the section E-mail settings).


    Basic Configuration unter Setup→ Devices→ Basic Configuration herunterladen und in Cortado öffnen

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.