Note! The client certificate mode is no longer available for Cortado Server 11.0.
Create or upload certificates
- Select in the Management console: Control Panel→ Certificates→ Certificate Mode (left arrow in illus.) and then Change Certificate Mode (right arrow in illus.).
Note! If you are using a newer IIS version (IIS 8.0 or later, Windows Server 2012):
When using client certificates, please change the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL:ClientAuthTrustMode
to 2 (DWORD).
- You can either create new client certificates (Create Certificate) or use existing ones (Use Certificate).
Create Certificate
You can create your own client certificates here, providing the root certificate that you want to use has been self-generated by Cortado server or with its own certification authority. Otherwise, use the Use Certificate. There are three client certificate modes available:
- Either one certificate per user (= for all the end devices of a user): For this, select One certificate for each user will be created and click OK. This means certificate mode 1.
- Or one certificate per end device: For this, select One certificate for each user device will be created and click OK. This means certificate mode 2.
- Or one global certificate for every end device of all users: For this, select One certificate for all users will be created and click OK. This means certificate mode 3.
You can set your own password for users/devices (Set client certificate password). If no certificate password is specified, the Cortado server automatically generates a password for each user/device. You find the certificate password here: Control Panel→ Users→ Certificates (arrow in illus.). Tell it to the users in person or in a phone call.
You can also send it via e-mail (not secure). Email templates for automatic distribution are available under Global Settings→ Mail→ E-mail Settings. With the place holder $ClientCertPwd you can send the password of the client certificate to the user. This place holder can be inserted in each of the three bodies. When sending the e-mail, the corresponding password is entered automatically.
You can view the certificate mode in the certificate overview under Control Panel→ Certificates→ Certificate Mode (arrow in illus.).
Use Certificate
You can use existing client certificates here, i.e. purchased from an official certification authority, or self-created by an own certification authority (.pfx files). You have two client certificate modes available.
- Either one certificate per user (= for all the end devices of a user): For this, select One certificate for each user will be used. Then enter the path to the folder that contains the client certificates. This means certificate mode 1.
- Or one global certificate for every end device of all users: For this, select One certificate for all users will be used. Then select the path to the client certificate (.pfx file) and enter the certificate password. This means certificate mode 3.
Distributing certificates
The client certificate (with the password-protected private key) is saved in the configuration file (.tpm) for the Cortado app.
The users must then:
- execute the First Steps Wizard in the User Self Service Portal (because it contains the client certificate).
- enter the certificate password (arrow in illus.).
Note! If the Cortado app has already been configured by the user and it is now desired to retrospectively secure it with a client certificate, the user must download a configuration file (Basic Configuration) containing the client certificate in the User Self Service Portals (see also the section Renew certificates).
Renew certificates
Client certificates are valid for one year and must be renewed accordingly. Depending on whether you’re using certificates generated by the Cortado server or those generated (or purchased) from your own certificate authority, the following steps must be followed:
- Server-generated certifikates: If you are using certificates generated by the Cortado server (see the section Create certificate) no interaction is required. Shortly before they expire, the certificates will be automatically renewed by the Cortado server. The new client certificates (with the password protected, private key) will then be saved in a newly created configuration file (.tpm). The users will then automatically receive an email with a prompt to download the new configuration file in the User Self Service Portal (see the section E-mail Settings).
- Own user certificates: If you are using client certificates that you created with your own certificate authority, or that you purchased from a CA, you also have to renew their validity shortly before they expire.
- Place the new client certificates (.pfx files) in the same storage location as the old ones (see the section Use Certificate).
- To distribute the new certificates to the users, new configuration files (.tpm) must be created. To do so, go to Control Panel→ Certificates→ Certificate Mode→ Renew Configuration Files.
- Confirm the following warning message.
- The new client certificates (with the password protected, private key) are now saved in a newly created configuration file (.tpm). The users then automatically receive an email prompting them to download the new configuration file in the User Self Service Portal (see the section E-mail settings).
