202 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
Latest 7 Posts
Speaking at Dreamforce 2017
Thu, Oct 5th 2017 7
Do you want bleedyellow.com? The charity auction has opened.
Mon, Aug 21st 2017 5
We looked for a Community Manager – and we got the best…
Fri, Aug 18th 2017 4
We are hiring – Developer Evangelist in EMEA @ Salesforce
Mon, Jul 17th 2017 4
A great example for a community-focused site (and it’s promotion)
Mon, Jun 26th 2017 11
We are hiring – Community Program Manager or Admin Evangelist @ Salesforce
Thu, Jun 22nd 2017 6
Why and how to support your speakers before their talks
Wed, Jun 21st 2017 6
Top 10
Using the Websphere Liberty Profile Maven repo with Gradle
Tue, Jun 16th 2015 13
My 1st Dreamforce – it was a blast
Thu, Oct 20th 2016 13
Reached the ranks of a Trailhead Ranger
Thu, Dec 29th 2016 13
IBM Notes 9.0.2 for Mac OS X is there (yeah, you read it correctly, 9.0.2)
Tue, Sep 29th 2015 12
IBM Collaboration QuickStart image on SoftLayer – stumbling setup process
Fri, Feb 7th 2014 11
A great example for a community-focused site (and it’s promotion)
Mon, Jun 26th 2017 11
How to start learning Salesforce Development – Join the Community
Mon, Aug 15th 2016 10
Find me speaking in Antwerp and London in the next two weeks
Thu, May 4th 2017 9
Doing Salesforce is a logical next step for any Domino developer
Mon, May 29th 2017 9
Chances are your next job will require Salesforce skills
Fri, Feb 10th 2017 8

Explaining Certificate Authentication – 101 style
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
René Winkelmeyer    

Less people know that one of my pet technologies I’ve worked with in the last years was everything around certificates. I’m not talking about SSL for websites only, more about using certificate-based technology in general.

The reasons why I started with certificates was the incorporation of this piece of technology within different areas of our companies products. That has extended by time into other areas. Projects I’ve worked in and with involved for example:

  • automatic certificate creation and validation (including the handling of the corresponding directories like Domino Directory or Active Directory)
  • certificate authentication on systems and protocols like ActiveSync, VPN, Wifi
  • incorporated certificate based client authentication into mobile apps
  • definition and setup of high-available systems for certificate issuance and managing
  • etc.

One thing that I’m seeing often is that the concept of certificates isn’t clear to everybody. Most people know why they want to use certificates – but the way they work isn’t known. I just experienced that again in a recent project where we deployed certificates for two-factor authentication of SAP using a F5 BIG-IP.

That’s why I’ve decided to create this blog post. I don’t want to describe the different OIDs or what TLS is. The purpose of this post is to describe how certificate authentication in general works.


It’s all about trust

Certificate authentication can happen on two sides: verification of a server/host or verification of a client.

At least it’s dead simple:

  • if you want to verify a server the server needs to have a certificate named on his hostname and issued by a certificate authority which the client trusts
  • if you want to verify a client the client needs to have a certificate issued by a certificate authority which the server trusts.

That sounds easy, doesn’t it? The basics are always the same: a trusted authority issues a certificate. And this gets verified.

I think it’s important to have examples. That helps to create a coherent and visual view on things. Using real-world scenarios helps a lot to explain technology. So let’s do it.


Receiving a parcel – or how to authenticate a server

The door bell rings. You open the door. A guy from the parcel delivery service is in front of your home’s door. He asks you for your ID card which you’re going to show him. After he has validated your photo on your government issued ID card and the address he’s giving you the parcel.

What does that mean technically? Someone wants to connect to a server URI (you). He’s connecting based on DNS (your address). The delivery guy is checking if you’re the one who you’re saying you are (validating hostname with requested URI). And if your ID is issued by the government (a trusted certification authority) he’ll handoff the parcel.

There maybe some exceptions:

  • Your spouse opens the door. The delivery guy accepts him/her to receive the parcel instead of you. That’s an exception the delivery guy (the client) may do based on his known rules (it may lead to a Man-In-The-Middle-Attack and should be avoided if the parcel contains the anniversary gift for your spouse).
  • If you or your spouse uses a self-created ID (aka self-signed server certificate) or the ID of your gym (unknown certification authority) the delivery guy won’t hand out the parcel as he can’t validate it against an authority (a certification authority).


Entering a bar – or how to authenticate a client

You want to enter a licensed bar in Boston, MA. The guy at the front door requests to validate your identity. You’re showing him your European ID card. He denies it as he only accepts European passports. So you get your passport and present it to the frontman. After he has validated your identity you’re allowed to enter the bar.

The description in technology would be: A client connects to a trusted server (bar with a government issued license). The server requests to validate the identity of the client (you). The client presents a client certificate (European ID card) which isn’t trusted by the server (only accepts specific issuers). The client selects manually another client certificate (European passport) which is trusted. After the server has validated the client certificate the request may proceed (enter the bar).

Again, more things may come into the game:

  • You would have selected the passport directly if the bar would display a list of accepted IDs at the front door. That’s known as certificate advertising (a server tells the client which issuers he accepts so that the client may choose the correct certificate directly).
  • You can add a bunch of more details like verifying the expiry date of the ID/passport (the certificate), if the ID/passport hasn’t been revoked by the government (is in a CRL), if certain details of the ID/passport are valid (verifying certificate OIDs against LDAP) and so forth.



Certificate authentication in general is like everyday tasks. That’s it. More layers of complexity may (and will) be added in real life – but the basics remain the same.

Jul 14, 2014
3 hits

Recent Blog Posts
Speaking at Dreamforce 2017
Thu, Oct 5th 2017 3:58a   Rene Winkelmeyer
It’s only a couple of days till Dreamforce 2017! Yay! If you were lucky and registered before we sold out, you’ll have the opportunity to attend one of my sessions. 😉 Salesforce and IBM for Developers The partnership between Salesforce and IBM opens up a new world of possibilities for customers, partners, and developers. Are you interested in learning about how to leverage them? Then join this session which will showcase real-world examples around API integration, weather or Wat
Do you want bleedyellow.com? The charity auction has opened.
Mon, Aug 21st 2017 7:17a   Rene Winkelmeyer
Some time ago I was fast enough to catch the bleedyellow.com domain when it expired. Nowadays I’ve no use for it – maybe others want it. Instead of just letting the registration expire I’m bringing it to a good cause. If you want it, you can have it – for some money that goes to a charity. As it happens there is not far from where I live Germany’s first child hospice. I’m sure that I don’t have to explain what that institution is doing. So if you’
We looked for a Community Manager – and we got the best…
Fri, Aug 18th 2017 7:59a   Rene Winkelmeyer
A couple of weeks ago I posted about a job opening in my team for a Community Manager role. And we got the best… I think it comes to no surprise that I had one of my best friends for that role already in mind. And she obviously convinced those in power and crushed the competition. You thought you could get rid of me by leaving my community? HA! #unflushable #reunited Looking forward to joining the #SalesforceOhana — Amanda Bauman (@amandabauman) August 15, 2017 As much as
We are hiring – Developer Evangelist in EMEA @ Salesforce
Mon, Jul 17th 2017 6:09p   Rene Winkelmeyer
What should I say – the headline says it all. Is there a caveat? Yes – you’ve to work with me. 😉 Find the full job description and application form here. Questions? DM me on Twitter (or other channels for those who know them 😉 ).
A great example for a community-focused site (and it’s promotion)
Mon, Jun 26th 2017 8:20a   Rene Winkelmeyer
I found this video yesterday by accident… and I personally really think that’s a) how a community site should be and b) how a corporate should promote it. I’ll see if I can talk to some of the MVPs this week during TrailheaDX about some of things that they independently from the vendor do, like the office hours or the mentorship program. Very cool stuff! By the way – we’re currently hiring a for this great community a Community Program Manager (San Francisco or Austin)&
We are hiring – Community Program Manager or Admin Evangelist @ Salesforce
Thu, Jun 22nd 2017 11:10a   Rene Winkelmeyer
Are you passionate about community and driving community engagement at scale? Then join my colleagues in the Community Team! They are looking for a fantastic Community Program Manager to help drive program member growth and engagement in our vibrant customer community with all  our users, developers, administrators, and MVPs. Read more about it in the job opening for the “Community Program Manager”. Or are you passionate about driving the success of Salesforce Administrators? My c
Why and how to support your speakers before their talks
Wed, Jun 21st 2017 8:35a   Rene Winkelmeyer
To quote (a bit out of context maybe) Kyle Simpson – “A speaker is the value of the conference”. And that’s so true from multiple angles. There are two types of people in a talk. The speaker. Who wants to share knowledge, who wants to excite attendees, who wants to deliver a great talk. The attendees. That want to learn, that want to get engaged, that want to be sure that their precious time is well spend. No event organiser can take the stage fright a minute
Test driving Slack’s “Highlights” feature – I LOVE IT
Mon, Jun 19th 2017 11:54a   Rene Winkelmeyer
Last week Slack introduced their new feature “Highlights“. I tested it over the weekend – and I LOVE IT. It wasn’t a very scientific test though, but a very good start for a feature that’s available as GA. “Test” conditions I am in five different Slack teams. Some are very active, others are less. In all of them “Highlights” is an active feature. I “forced” myself not to log in into Slack for at least three days. In that time a
Take app deployment to the next level with Heroku ChatOps and Slack
Mon, Jun 19th 2017 5:17a   Rene Winkelmeyer
Heroku is known for it’s developer-friendly set up. Now they’re taking it a step further by simplifying the devops lifecycle with ChatOps for Slack. I tested it during a private beta which went a couple of days ago into public beta. Slack is often used as an information “pool”, where apps post a status like a successful commit to GitHub or else. But not many allow to action on information. That’s where ChatOps comes in to the game. Using Heroku Pipelines you c
Join me and The Weather Company (and some B.E.A.R.s) at TrailheaDX
Thu, Jun 8th 2017 10:00a   Rene Winkelmeyer
Part of the strategic partnership between Salesforce and IBM is the usage of weather data for enhanced business processes. Over the last couple of months I had the great pleasure to work with the colleagues from The Weather Company (looking at you Aleesa, Michelle, Alexis, Maia 😉 ) on several items of that. If you want to learn more about how to incorporate weather data, besides the published content (here and here) on the Salesforce Developer blog – now you can. I’ll b

Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition