|Latest 7 Posts
| We looked for a Community Manager – and we got the best…|
Fri, Aug 18th 2017 118
| We are hiring – Developer Evangelist in EMEA @ Salesforce|
Mon, Jul 17th 2017 5
| A great example for a community-focused site (and it’s promotion)|
Mon, Jun 26th 2017 3
| We are hiring – Community Program Manager or Admin Evangelist @ Salesforce|
Thu, Jun 22nd 2017 2
| Why and how to support your speakers before their talks|
Wed, Jun 21st 2017 2
| Test driving Slack’s “Highlights” feature – I LOVE IT|
Mon, Jun 19th 2017 3
| Take app deployment to the next level with Heroku ChatOps and Slack|
Mon, Jun 19th 2017 4
| We looked for a Community Manager – and we got the best…|
Fri, Aug 18th 2017 118
| IBM Notes 9.0.2 for Mac OS X is there (yeah, you read it correctly, 9.0.2)|
Tue, Sep 29th 2015 9
| Reached the ranks of a Trailhead Ranger|
Thu, Dec 29th 2016 9
| Doing Salesforce is a logical next step for any Domino developer|
Mon, May 29th 2017 8
| Call for Papers – Dreamforce 2017 – RUSH!!!|
Fri, Jun 2nd 2017 8
| How to start learning Salesforce Development – Join the Community|
Mon, Aug 15th 2016 7
| Using remote TLS/SSL systems with untrusted Certification Authorities in IBM Domino 9+|
Tue, Jun 2nd 2015 6
| Need to change Eclipse JRE for OS X 10.10 Yosemite|
Fri, Jun 20th 2014 5
| Explaining Certificate Authentication – 101 style|
Mon, Jul 14th 2014 5
| Fixes for IBM Notes and Domino regarding POODLE and SHA-2 available|
Tue, Nov 4th 2014 5
||Explaining Certificate Authentication – 101 style
Less people know that one of my pet technologies I’ve worked with in the last years was everything around certificates. I’m not talking about SSL for websites only, more about using certificate-based technology in general.
The reasons why I started with certificates was the incorporation of this piece of technology within different areas of our companies products. That has extended by time into other areas. Projects I’ve worked in and with involved for example:
- automatic certificate creation and validation (including the handling of the corresponding directories like Domino Directory or Active Directory)
- certificate authentication on systems and protocols like ActiveSync, VPN, Wifi
- incorporated certificate based client authentication into mobile apps
- definition and setup of high-available systems for certificate issuance and managing
One thing that I’m seeing often is that the concept of certificates isn’t clear to everybody. Most people know why they want to use certificates – but the way they work isn’t known. I just experienced that again in a recent project where we deployed certificates for two-factor authentication of SAP using a F5 BIG-IP.
That’s why I’ve decided to create this blog post. I don’t want to describe the different OIDs or what TLS is. The purpose of this post is to describe how certificate authentication in general works.
It’s all about trust
Certificate authentication can happen on two sides: verification of a server/host or verification of a client.
At least it’s dead simple:
- if you want to verify a server the server needs to have a certificate named on his hostname and issued by a certificate authority which the client trusts
- if you want to verify a client the client needs to have a certificate issued by a certificate authority which the server trusts.
That sounds easy, doesn’t it? The basics are always the same: a trusted authority issues a certificate. And this gets verified.
I think it’s important to have examples. That helps to create a coherent and visual view on things. Using real-world scenarios helps a lot to explain technology. So let’s do it.
Receiving a parcel – or how to authenticate a server
The door bell rings. You open the door. A guy from the parcel delivery service is in front of your home’s door. He asks you for your ID card which you’re going to show him. After he has validated your photo on your government issued ID card and the address he’s giving you the parcel.
What does that mean technically? Someone wants to connect to a server URI (you). He’s connecting based on DNS (your address). The delivery guy is checking if you’re the one who you’re saying you are (validating hostname with requested URI). And if your ID is issued by the government (a trusted certification authority) he’ll handoff the parcel.
There maybe some exceptions:
- Your spouse opens the door. The delivery guy accepts him/her to receive the parcel instead of you. That’s an exception the delivery guy (the client) may do based on his known rules (it may lead to a Man-In-The-Middle-Attack and should be avoided if the parcel contains the anniversary gift for your spouse).
- If you or your spouse uses a self-created ID (aka self-signed server certificate) or the ID of your gym (unknown certification authority) the delivery guy won’t hand out the parcel as he can’t validate it against an authority (a certification authority).
Entering a bar – or how to authenticate a client
You want to enter a licensed bar in Boston, MA. The guy at the front door requests to validate your identity. You’re showing him your European ID card. He denies it as he only accepts European passports. So you get your passport and present it to the frontman. After he has validated your identity you’re allowed to enter the bar.
The description in technology would be: A client connects to a trusted server (bar with a government issued license). The server requests to validate the identity of the client (you). The client presents a client certificate (European ID card) which isn’t trusted by the server (only accepts specific issuers). The client selects manually another client certificate (European passport) which is trusted. After the server has validated the client certificate the request may proceed (enter the bar).
Again, more things may come into the game:
- You would have selected the passport directly if the bar would display a list of accepted IDs at the front door. That’s known as certificate advertising (a server tells the client which issuers he accepts so that the client may choose the correct certificate directly).
- You can add a bunch of more details like verifying the expiry date of the ID/passport (the certificate), if the ID/passport hasn’t been revoked by the government (is in a CRL), if certain details of the ID/passport are valid (verifying certificate OIDs against LDAP) and so forth.
Certificate authentication in general is like everyday tasks. That’s it. More layers of complexity may (and will) be added in real life – but the basics remain the same.
Jul 14, 2014
| Recent Blog Posts
We looked for a Community Manager – and we got the best…|
Fri, Aug 18th 2017 7:59a Rene Winkelmeyer
A couple of weeks ago I posted about a job opening in my team for a Community Manager role. And we got the best…
I think it comes to no surprise that I had one of my best friends for that role already in mind. And she obviously convinced those in power and crushed the competition.
You thought you could get rid of me by leaving my community? HA! #unflushable #reunited Looking forward to joining the #SalesforceOhana
— Amanda Bauman (@amandabauman) August 15, 2017
As much as
We are hiring – Developer Evangelist in EMEA @ Salesforce|
Mon, Jul 17th 2017 6:09p Rene Winkelmeyer
What should I say – the headline says it all.
Is there a caveat? Yes – you’ve to work with me. 😉
Find the full job description and application form here.
Questions? DM me on Twitter (or other channels for those who know them 😉 ).
A great example for a community-focused site (and it’s promotion)|
Mon, Jun 26th 2017 8:20a Rene Winkelmeyer
I found this video yesterday by accident… and I personally really think that’s a) how a community site should be and b) how a corporate should promote it.
I’ll see if I can talk to some of the MVPs this week during TrailheaDX about some of things that they independently from the vendor do, like the office hours or the mentorship program. Very cool stuff!
By the way – we’re currently hiring a for this great community a Community Program Manager (San Francisco or Austin)&
We are hiring – Community Program Manager or Admin Evangelist @ Salesforce|
Thu, Jun 22nd 2017 11:10a Rene Winkelmeyer
Are you passionate about community and driving community engagement at scale? Then join my colleagues in the Community Team! They are looking for a fantastic Community Program Manager to help drive program member growth and engagement in our vibrant customer community with all our users, developers, administrators, and MVPs.
Read more about it in the job opening for the “Community Program Manager”.
Or are you passionate about driving the success of Salesforce Administrators? My c
Why and how to support your speakers before their talks|
Wed, Jun 21st 2017 8:35a Rene Winkelmeyer
To quote (a bit out of context maybe) Kyle Simpson – “A speaker is the value of the conference”. And that’s so true from multiple angles.
There are two types of people in a talk.
The speaker. Who wants to share knowledge, who wants to excite attendees, who wants to deliver a great talk.
The attendees. That want to learn, that want to get engaged, that want to be sure that their precious time is well spend.
No event organiser can take the stage fright a minute
Test driving Slack’s “Highlights” feature – I LOVE IT|
Mon, Jun 19th 2017 11:54a Rene Winkelmeyer
Last week Slack introduced their new feature “Highlights“. I tested it over the weekend – and I LOVE IT. It wasn’t a very scientific test though, but a very good start for a feature that’s available as GA.
I am in five different Slack teams. Some are very active, others are less. In all of them “Highlights” is an active feature.
I “forced” myself not to log in into Slack for at least three days. In that time a
Take app deployment to the next level with Heroku ChatOps and Slack|
Mon, Jun 19th 2017 5:17a Rene Winkelmeyer
Heroku is known for it’s developer-friendly set up. Now they’re taking it a step further by simplifying the devops lifecycle with ChatOps for Slack. I tested it during a private beta which went a couple of days ago into public beta.
Slack is often used as an information “pool”, where apps post a status like a successful commit to GitHub or else. But not many allow to action on information. That’s where ChatOps comes in to the game. Using Heroku Pipelines you c
Join me and The Weather Company (and some B.E.A.R.s) at TrailheaDX|
Thu, Jun 8th 2017 10:00a Rene Winkelmeyer
Part of the strategic partnership between Salesforce and IBM is the usage of weather data for enhanced business processes. Over the last couple of months I had the great pleasure to work with the colleagues from The Weather Company (looking at you Aleesa, Michelle, Alexis, Maia 😉 ) on several items of that.
If you want to learn more about how to incorporate weather data, besides the published content (here and here) on the Salesforce Developer blog – now you can.
Must-go-to user group events in the next months|
Tue, Jun 6th 2017 7:50a Rene Winkelmeyer
Behind every user group are passionate individuals who want to give back to their community. They spend tons of their spare time and take financial risks to make those events happen. I met many of those organisers over the last decade and longer – and I am grateful for what they did and do. You can read about my thoughts how important YOU are in that in this blog post from around two years ago.
User group events give you an awesome opportunity to meet people that share the same intere
Call for Papers – Dreamforce 2017 – RUSH!!!|
Fri, Jun 2nd 2017 7:45a Rene Winkelmeyer
The Call for Papers for developers and administrators for Dreamforce 2017 is open NOW! Rush!
You want to see what to see what we offered last year for developers and administrators at the world-largest vendor event?
My (not-so-high-quality, sorry) periscope video of the Trailhead Zone from last year, an hour after we opened the gates. If you’ve ever been to Moscone West in San Francisco – that’s the ground floor of that location. Not sure if you recognise it. 😉