Cortado Server – Manual

Certificate-based authentication

43 views January 21, 2019 December 19, 2019 0

Encryption end device (browser) and server

Next illus. shows how the browser of an end device requests an https page – in order, for example, to reach the User Self Service Portal in Cortado Server – and also shows how the Cortado server responds by sending its certificate to initiate an SSL-encrypted connection.

Example of the use of a server certificate

Example of the use of a server certificate

The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it must use the corresponding root certificate. If neither of these is located on the device (or if the specified server address does not match that written on the certificate), the user receives an error message. This could be worded as follows:

“Your connection is not private” (Google Chrome)

You or the users can simply confirm the insecure connection.

In order to avoid these certificate errors and to ensure a secure connection, Cortado Server ensures the root certificate is downloaded by the users themselves with the First Steps Wizard in the User Self Service Portal.

User Self Service Portal: Downloading the root certificate in the First Steps Wizard (example for Apple iOS)

User Self Service Portal: Downloading the root certificate in the First Steps Wizard (example for Apple

The same applies to the use of the web app in a browser. The root certificate can also be downloaded here to the respective device.  Downloading the root certificate to the end device is necessary especially when using self-signed certificates. Officially-issued root certificates are usually already present on the devices.

Encryption between the Cortado app (end device) and server

Root certificate

An SSL-encrypted connection is also established between the Cortado app on the end device and the Cortado server. This connection enables secure communication via https including user name and password queries. For this, the root certificate is also used. This mode is always enabled.

Example of the use of a server certificate

Example of the use of a server certificate

Client certificates (optional)

Additionally, to further increase security, client certificates can also be used (see section Establishing client certificates (optional)). When using client certificates the identity of the end device is ensured additionally by a certificate that is already known to the server.

Example of the setup for a client certificate

Example of the setup for a client certificate

  • Identification of the server by the end device with the server certificate (includ­ing query user name/password)
  • additional authentication with client certificate:
    • a global certificate for all devices of all users
    • one certificate per user (= for all devices of a user)
    • one certificate per device

If you would already like to test the client certificates in the DMZ, proceed as described in the section Install proxy server.

Was this helpful?