193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Happy Birthday Albert Einstein – and Salesforce Einstein Vision!
Tue, Mar 14th 2017 35
Chances are your next job will require Salesforce skills
Fri, Feb 10th 2017 7
Meet me in Prague on Feb 16th if you want to hear about Lightning and SalesforceDX
Tue, Feb 7th 2017 8
Speaking at London’s Calling about Salesforce Einstein
Tue, Jan 3rd 2017 9
Reached the ranks of a Trailhead Ranger
Thu, Dec 29th 2016 11
Preparing customers and partners for cloud updates done right
Mon, Nov 7th 2016 7
Time flies by – my first 6 months with Salesforce.com
Wed, Nov 2nd 2016 8
Top 10
Happy Birthday Albert Einstein – and Salesforce Einstein Vision!
Tue, Mar 14th 2017 35
How to start learning Salesforce Development – Join the Community
Mon, Aug 15th 2016 13
Thank you, Pete!
Fri, Aug 19th 2016 11
My 1st Dreamforce – it was a blast
Thu, Oct 20th 2016 11
Reached the ranks of a Trailhead Ranger
Thu, Dec 29th 2016 11
Simplifying Salesforce App Cloud OAuth2 for Java apps with Scribe
Tue, Jul 26th 2016 10
Using the Websphere Liberty Profile Maven repo with Gradle
Tue, Jun 16th 2015 9
Compiling Vaadin widgetsets for Domino
Wed, Aug 26th 2015 9
IBM Notes 9.0.2 for Mac OS X is there (yeah, you read it correctly, 9.0.2)
Tue, Sep 29th 2015 9
Speaking at London’s Calling about Salesforce Einstein
Tue, Jan 3rd 2017 9


Explaining Certificate Authentication – 101 style
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
René Winkelmeyer    

Less people know that one of my pet technologies I’ve worked with in the last years was everything around certificates. I’m not talking about SSL for websites only, more about using certificate-based technology in general.

The reasons why I started with certificates was the incorporation of this piece of technology within different areas of our companies products. That has extended by time into other areas. Projects I’ve worked in and with involved for example:

  • automatic certificate creation and validation (including the handling of the corresponding directories like Domino Directory or Active Directory)
  • certificate authentication on systems and protocols like ActiveSync, VPN, Wifi
  • incorporated certificate based client authentication into mobile apps
  • definition and setup of high-available systems for certificate issuance and managing
  • etc.

One thing that I’m seeing often is that the concept of certificates isn’t clear to everybody. Most people know why they want to use certificates – but the way they work isn’t known. I just experienced that again in a recent project where we deployed certificates for two-factor authentication of SAP using a F5 BIG-IP.

That’s why I’ve decided to create this blog post. I don’t want to describe the different OIDs or what TLS is. The purpose of this post is to describe how certificate authentication in general works.

 

It’s all about trust

Certificate authentication can happen on two sides: verification of a server/host or verification of a client.

At least it’s dead simple:

  • if you want to verify a server the server needs to have a certificate named on his hostname and issued by a certificate authority which the client trusts
  • if you want to verify a client the client needs to have a certificate issued by a certificate authority which the server trusts.

That sounds easy, doesn’t it? The basics are always the same: a trusted authority issues a certificate. And this gets verified.

I think it’s important to have examples. That helps to create a coherent and visual view on things. Using real-world scenarios helps a lot to explain technology. So let’s do it.

 

Receiving a parcel – or how to authenticate a server

The door bell rings. You open the door. A guy from the parcel delivery service is in front of your home’s door. He asks you for your ID card which you’re going to show him. After he has validated your photo on your government issued ID card and the address he’s giving you the parcel.

What does that mean technically? Someone wants to connect to a server URI (you). He’s connecting based on DNS (your address). The delivery guy is checking if you’re the one who you’re saying you are (validating hostname with requested URI). And if your ID is issued by the government (a trusted certification authority) he’ll handoff the parcel.

There maybe some exceptions:

  • Your spouse opens the door. The delivery guy accepts him/her to receive the parcel instead of you. That’s an exception the delivery guy (the client) may do based on his known rules (it may lead to a Man-In-The-Middle-Attack and should be avoided if the parcel contains the anniversary gift for your spouse).
  • If you or your spouse uses a self-created ID (aka self-signed server certificate) or the ID of your gym (unknown certification authority) the delivery guy won’t hand out the parcel as he can’t validate it against an authority (a certification authority).

 

Entering a bar – or how to authenticate a client

You want to enter a licensed bar in Boston, MA. The guy at the front door requests to validate your identity. You’re showing him your European ID card. He denies it as he only accepts European passports. So you get your passport and present it to the frontman. After he has validated your identity you’re allowed to enter the bar.

The description in technology would be: A client connects to a trusted server (bar with a government issued license). The server requests to validate the identity of the client (you). The client presents a client certificate (European ID card) which isn’t trusted by the server (only accepts specific issuers). The client selects manually another client certificate (European passport) which is trusted. After the server has validated the client certificate the request may proceed (enter the bar).

Again, more things may come into the game:

  • You would have selected the passport directly if the bar would display a list of accepted IDs at the front door. That’s known as certificate advertising (a server tells the client which issuers he accepts so that the client may choose the correct certificate directly).
  • You can add a bunch of more details like verifying the expiry date of the ID/passport (the certificate), if the ID/passport hasn’t been revoked by the government (is in a CRL), if certain details of the ID/passport are valid (verifying certificate OIDs against LDAP) and so forth.

 

Conclusion

Certificate authentication in general is like everyday tasks. That’s it. More layers of complexity may (and will) be added in real life – but the basics remain the same.



---------------------
https://blog.winkelmeyer.com/2014/07/explaining-certificate-authentication-101-style/
Jul 14, 2014
5 hits



Recent Blog Posts
35
Happy Birthday Albert Einstein – and Salesforce Einstein Vision!
Tue, Mar 14th 2017 3:57p   Rene Winkelmeyer
Today is Albert Einstein’s birthday – and we at Salesforce are GA’ing Einstein Vision. See our developer summary page here on the Salesforce Developer website. The site links to all needed documentation. There are also two fun trails on Trailhead: Getting Smart with Salesforce Einstein Predictive Vision Service If you want to explore Einstein Vision using Java or Swift… well, you don’t have to build it your own. Checkout my GitHub repos for the Swift and Jav
7
Chances are your next job will require Salesforce skills
Fri, Feb 10th 2017 11:29a   Rene Winkelmeyer
A new Burning Glass report showcases that the job market for people Salesforce skills grows 1.3times faster than the overall market. And that Salesforce skills are the 7th highest tech skill in demand (ahead of .Net or C++ i. e.). Read the summary on Medium. The full Burning Glass report can be accessed here. Want to learn Salesforce – go to Trailhead!
8
Meet me in Prague on Feb 16th if you want to hear about Lightning and SalesforceDX
Tue, Feb 7th 2017 9:55a   Rene Winkelmeyer
Next week I’m joining the Salesforce User & Developer Group in Prague for their February meetup to speak about Lightning and SalesforceDX. A hot topic for developers across all audiences is how get the most out of the available frameworks and technology in their day-to-day work. That includes, but is not limited to, having a great development experience in terms of tools and workflows. During the meetup we will address both needs by talking about Lightning and SalesforceDX.
9
Speaking at London’s Calling about Salesforce Einstein
Tue, Jan 3rd 2017 12:25p   Rene Winkelmeyer
I’m happy to announce that you can find me on February 10th at London’s Calling – Europe’s largest community led event for Salesforce professionals. The event will take at CodeNode (last year a badger has been seen there). I’ll speak about why, where and how to use the Predictive Vision service on the Salesforce Einstein platform. Do you have visions? Good – Einstein can help! Artificial Intelligence (AI) is one of the big buzzwords nowadays. It is an
11
Reached the ranks of a Trailhead Ranger
Thu, Dec 29th 2016 8:49a   Rene Winkelmeyer
One of my personal goals that I set for myself for 2016 was to become a Trailhead Ranger. Since yesterday evening I’ve reached it. Learning – the fun way When I joined Salesforce in May I used Trailhead to start learning about the products and the platform. Some may say that I’m biased – but it’s really THE fun way to learn Salesforce. It’s not like you go through some tech documentation and just read stuff. It’s really about getting introduced to how
7
Preparing customers and partners for cloud updates done right
Mon, Nov 7th 2016 8:53a   Rene Winkelmeyer
One thing that always bothered me in the past when working with cloud-based products was the “surprise factor”. While it’s a big advantage of a cloud solution that an update is immediately available for all users – it can also be a big pain. When I talk about the “surprise factor” I’m talking about the availability of new features, changed UI or changed behaviour. Depending on the friendliness of your provider you may get an information that an update
8
Time flies by – my first 6 months with Salesforce.com
Wed, Nov 2nd 2016 10:06p   Rene Winkelmeyer
Yesterday I had my “6-months anniversary” with Salesforce.com. I hardly noticed. Why? Because time flies by in this company. It’s now (a bit more) than 6 months ago that I made the decision to change – once again – my profession when I joined Salesforce.com as Senior Developer Evangelist. It was and is a blast. The company has a vibe across all levels. I didn’t have a single, boring moment. Here’s an excerpt of some of the things I did – so you
11
My 1st Dreamforce – it was a blast
Thu, Oct 20th 2016 10:38a   Rene Winkelmeyer
Dreamforce 2016 is now a few days ago. It was my 1st one. It was a blast. By any means. I am still sorting out all the impressions, all the ideas, all the talks. It is an experience on it’s own. Here are a few of my takeaways (for you and myself). Trailhead Does Trailhead need an explanation? We presented a massive experience for developers and admins in our very own Trailhead zone. The zone covered the whole Moscone West ground level (approx 130,000 sqft/12,000 sqm). Open Theaters, an I
7
Three in a row – speaking at SUTOL, ISBG and meetIT
Thu, Oct 20th 2016 6:33a   Rene Winkelmeyer
The year starts to wrap-up – so it’s a great time to finish it with some speaking engagements. So I’m happy to say that I’ll be present at in Prague, Oslo and Milan in the upcoming weeks. Prague – SUTOL – 10.-11.11.2016 I’ve been in Prague last year – and it was a great event. This year it has been extended from a one day event to two days. Oslo – ISBG – 30.11.2016 That’s a first timer for me. I’ve never been to Oslo
7
TrailFindr – or how we’re helping visually impaired to navigate at the Trailhead Zone
Mon, Oct 3rd 2016 11:53a   Rene Winkelmeyer
One of our core values at Salesforce is, that we believe in giving back to the community. We also believe that technology should be leveraged for the best purpose – for helping people, every day. At our recent Salesforce World Tour in London we organized a CoderDojo to teach visually impaired kids how to code (kudos to the BBC for joining us). Have you ever thought about or experienced what challenges are the visually impaired facing day to day in environments they don’t know? Like:




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition