Encryption end device (browser) and server
Next illus. shows how the browser of an end device requests an https page – in order, for example, to reach the User Self Service Portal in Cortado Server – and also shows how the Cortado server responds by sending its certificate to initiate an SSL-encrypted connection.
The certificate received from the server now has to be checked for trustworthiness by the mobile device. To do so, it must use the corresponding root certificate. If neither of these is located on the device (or if the specified server address does not match that written on the certificate), the user receives an error message. This could be worded as follows:
“Your connection is not private” (Google Chrome)
You or the users can simply confirm the insecure connection.
In order to avoid these certificate errors and to ensure a secure connection, Cortado Server ensures the root certificate is downloaded by the users themselves with the First Steps Wizard in the User Self Service Portal.
The same applies to the use of the web app in a browser. The root certificate can also be downloaded here to the respective device. Downloading the root certificate to the end device is necessary especially when using self-signed certificates. Officially-issued root certificates are usually already present on the devices.
Encryption between the Cortado app (end device) and server
An SSL-encrypted connection is also established between the Cortado app on the end device and the Cortado server. This connection enables secure communication via https including user name and password queries. For this, the root certificate is also used. This mode is always enabled.
Client certificates (optional)
Additionally, to further increase security, client certificates can also be used (see section Establishing client certificates (optional)). When using client certificates the identity of the end device is ensured additionally by a certificate that is already known to the server.
- Identification of the server by the end device with the server certificate (including query user name/password)
- additional authentication with client certificate:
- a global certificate for all devices of all users
- one certificate per user (= for all devices of a user)
- one certificate per device
If you would already like to test the client certificates in the DMZ, proceed as described in the section Install proxy server.