Cortado Server – Manual

Setting up root and server certificates

53 views January 21, 2019 December 19, 2019 0

Overview

You can find the options described below in either the Configurations Assistant that you used for the initial configuration of Cortado Server or in the in the Server Certificates tab of the Management Console under Control Panel→ Certfificates im Reiter Server Certificates.

Select Server Certificates under Control Panel→ Certificates

Select Server Certificates under Control Panel→ Certificates

How to configure the Apple Push certificate see section Configure Apple MDM.

The procedure for setting up a client certificate mode is described in the section Establishing client certificates (optional).

Both server and client certificates can be obtained from a public certification author­ity. This has the advantage that their root certificates are already recognized by all servers and end devices. Thus, there are no certificate errors as described in section Certificate-based authentication.

Regardless of whether the certificates have been purchased, or generated by one’s own certification authority, they can be set up for Cortado Server in two ways:

  • with the Configuration Assistant under Certificates→ Browse or
  • with the Cortado Management console under Control Panel→ Certificates→ Server Certificates.

Configuration Assistant, left: Import (Browse) or create root certificate, right: Import (Browse) or create server certificate

Configuration Assistant, left: Import (Browse) or create root certificate, right: Import (Browse) or create server certificate

Cortado Management Console, above right: Create, import or export root cer­tificate, centre right: Create, import or export server certificate

Cortado Management Console, above right: Create, import or export root cer­tificate, centre right: Create, import or export server certificate

Note! The Cortado server can generate server certificates (SSL) for you, if you are using a root certificate that:

– was itself generated by the Cortado server,

– was purchased from an official certification authority

– was created by your own certificate authority.

If a purchased or your own root certificate is used, it must be first imported (including the private key) into the certificate store of the Cortado server.

Generate root certificate

Cortado Server generates a new root certificate automatically, if you:

  • select the option Generate new self signed root certifi­catein Configuration Assistant (see illus.) or
  • select the option Generate Root Certificate in the Cortado Management console (see illus.).

Note! All other certificates as well as all .tpm files are recreated automatically if you generate a new root certificate. Afterwards all users must run the First Steps Wizard again to download the new certificate and the new configuration (.tpm file) to the device.

Generate server certificate

Cortado Server automatically generates a new server certificate, when you:

  • select the option Generate new self signed server certi­ficate in Configuration Assistant (see illus.) or
  • select the option Generate Server Certificate (SSL) in the Cortado Management console (see illus.).

Note! The server certificate which is created here (if necessary) contains the server address which you have specified in the Configuration Assistant’s Cortado server address menu (see illus.). This address is also shown in the Management Console’s Global Settings (see illus.). Make sure that – on the one hand – this address is reachable from the devices and – on the other hand – the users use exactly this address for connections to the User Self Service Portal as well as to the web app. Otherwise certif­icate errors can occur in the device’s Internet browsers.

Connection settings in the Configuration Assistant

Connection settings in the Configuration Assistant

Connection settings in the Cortado Management Console

Connection settings in the Cortado Management Console

Note! When using Android devices from OS 9, please note that the server cer­tificates used must have at least one Subject Alternative Name (SAN). This can also be the same as the Subject Name.

Import root certificate

With importing a root certificate of your company’s certification authority (CA) note that only the following cryptographic providers are supported by Cortado Server. Please take this into account with configuring your company’s CA.

  • Microsoft Base Smart Card Crypto Provider
  • Microsoft Enhanced Cryptographic Provider v1.0
  • Microsoft Base Cryptographic Provider v1.0
  • Microsoft Strong Cryptographic Provider
  • Microsoft Base DSS Cryptographic Provider v1.0
Supported cryptographic providers

Supported cryptographic providers

Export root certificate

In addition, the root certificate can be exported with or without private key using the options Export Root Certificate.

export root certificate

export root certificate

Export certificate with private key

Export the root certificate with a private key in .pfx format.

Note! Only export the private key if you want to create a backup. Never distribute a certificate with a private key to the users.

  • Enable the checkbox Export private key (arrow in illus.).
  • Click on OK to confirm the warning message.
  • Protect the certificate with a password.
export root certificate with private key

export root certificate with private key

  • Save the certificate in a secure location.
save root certificate with private key

save root certificate with private key

Export certificate without private key

Export the root certificate without a private key in .cer format.

Click on OK to start downloading the certificate.

export root certificate without private key

export root certificate without private key

  • Save the root certificate.
save root certificate without private key

save root certificate without private key

Export server certificate

export server certificate

export server certificate

  • Select Export Server Certificate (SSL), to export the server certificate in .pfx format.
  • Protect your certificate with a password.
provide a password for the server certificate

provide a password for the server certificate

You can now save the server certificate to a secure location.

Was this helpful?