193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Back from Salesforce World Tour London – I’m feeling pumped!
Fri, May 19th 2017 365
First developer content published around Salesforce and IBM partnership
Mon, May 15th 2017 126
engage.ug recap, my Salesforce/IBM slide deck and DevoxxUK
Sat, May 13th 2017 38
Find me speaking in Antwerp and London in the next two weeks
Thu, May 4th 2017 7
My first year of riding the Salesforce wave
Mon, May 1st 2017 4
My first year of riding the Salesforce wave
Mon, May 1st 2017 2
Happy Birthday Albert Einstein – and Salesforce Einstein Vision!
Tue, Mar 14th 2017 7
Top 10
Back from Salesforce World Tour London – I’m feeling pumped!
Fri, May 19th 2017 365
First developer content published around Salesforce and IBM partnership
Mon, May 15th 2017 126
engage.ug recap, my Salesforce/IBM slide deck and DevoxxUK
Sat, May 13th 2017 38
IBM Notes 9.0.2 for Mac OS X is there (yeah, you read it correctly, 9.0.2)
Tue, Sep 29th 2015 12
TrailheaDX – Lightning, LockerService, Lenny Kravitz and meeting Steve Wozniak
Fri, Jun 10th 2016 10
Time flies by – my first 6 months with Salesforce.com
Wed, Nov 2nd 2016 8
Preparing customers and partners for cloud updates done right
Mon, Nov 7th 2016 8
Need to change Eclipse JRE for OS X 10.10 Yosemite
Fri, Jun 20th 2014 7
First impressions of IBM Verse Offline Mode
Tue, Mar 15th 2016 7
How to start learning Salesforce Development – Join the Community
Mon, Aug 15th 2016 7


Explaining Certificate Authentication – 101 style
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
René Winkelmeyer    

Less people know that one of my pet technologies I’ve worked with in the last years was everything around certificates. I’m not talking about SSL for websites only, more about using certificate-based technology in general.

The reasons why I started with certificates was the incorporation of this piece of technology within different areas of our companies products. That has extended by time into other areas. Projects I’ve worked in and with involved for example:

  • automatic certificate creation and validation (including the handling of the corresponding directories like Domino Directory or Active Directory)
  • certificate authentication on systems and protocols like ActiveSync, VPN, Wifi
  • incorporated certificate based client authentication into mobile apps
  • definition and setup of high-available systems for certificate issuance and managing
  • etc.

One thing that I’m seeing often is that the concept of certificates isn’t clear to everybody. Most people know why they want to use certificates – but the way they work isn’t known. I just experienced that again in a recent project where we deployed certificates for two-factor authentication of SAP using a F5 BIG-IP.

That’s why I’ve decided to create this blog post. I don’t want to describe the different OIDs or what TLS is. The purpose of this post is to describe how certificate authentication in general works.

 

It’s all about trust

Certificate authentication can happen on two sides: verification of a server/host or verification of a client.

At least it’s dead simple:

  • if you want to verify a server the server needs to have a certificate named on his hostname and issued by a certificate authority which the client trusts
  • if you want to verify a client the client needs to have a certificate issued by a certificate authority which the server trusts.

That sounds easy, doesn’t it? The basics are always the same: a trusted authority issues a certificate. And this gets verified.

I think it’s important to have examples. That helps to create a coherent and visual view on things. Using real-world scenarios helps a lot to explain technology. So let’s do it.

 

Receiving a parcel – or how to authenticate a server

The door bell rings. You open the door. A guy from the parcel delivery service is in front of your home’s door. He asks you for your ID card which you’re going to show him. After he has validated your photo on your government issued ID card and the address he’s giving you the parcel.

What does that mean technically? Someone wants to connect to a server URI (you). He’s connecting based on DNS (your address). The delivery guy is checking if you’re the one who you’re saying you are (validating hostname with requested URI). And if your ID is issued by the government (a trusted certification authority) he’ll handoff the parcel.

There maybe some exceptions:

  • Your spouse opens the door. The delivery guy accepts him/her to receive the parcel instead of you. That’s an exception the delivery guy (the client) may do based on his known rules (it may lead to a Man-In-The-Middle-Attack and should be avoided if the parcel contains the anniversary gift for your spouse).
  • If you or your spouse uses a self-created ID (aka self-signed server certificate) or the ID of your gym (unknown certification authority) the delivery guy won’t hand out the parcel as he can’t validate it against an authority (a certification authority).

 

Entering a bar – or how to authenticate a client

You want to enter a licensed bar in Boston, MA. The guy at the front door requests to validate your identity. You’re showing him your European ID card. He denies it as he only accepts European passports. So you get your passport and present it to the frontman. After he has validated your identity you’re allowed to enter the bar.

The description in technology would be: A client connects to a trusted server (bar with a government issued license). The server requests to validate the identity of the client (you). The client presents a client certificate (European ID card) which isn’t trusted by the server (only accepts specific issuers). The client selects manually another client certificate (European passport) which is trusted. After the server has validated the client certificate the request may proceed (enter the bar).

Again, more things may come into the game:

  • You would have selected the passport directly if the bar would display a list of accepted IDs at the front door. That’s known as certificate advertising (a server tells the client which issuers he accepts so that the client may choose the correct certificate directly).
  • You can add a bunch of more details like verifying the expiry date of the ID/passport (the certificate), if the ID/passport hasn’t been revoked by the government (is in a CRL), if certain details of the ID/passport are valid (verifying certificate OIDs against LDAP) and so forth.

 

Conclusion

Certificate authentication in general is like everyday tasks. That’s it. More layers of complexity may (and will) be added in real life – but the basics remain the same.



---------------------
https://blog.winkelmeyer.com/2014/07/explaining-certificate-authentication-101-style/
Jul 14, 2014
6 hits



Recent Blog Posts
365
Back from Salesforce World Tour London – I’m feeling pumped!
Fri, May 19th 2017 9:26a   Rene Winkelmeyer
Coming back late last night from our Salesforce World Tour in London I’ve to say that I’m feeling pumped. Again. One thing that stands out for me is how the community joins us to make the World Tour a success. And that doesn’t apply only to London, that applies to any of our World Tour events. I am part of Team Trailhead which obviously runs the Trailhead area. That includes theatres for developers and admins as well as Trailhead learning areas and many demo stations for
126
First developer content published around Salesforce and IBM partnership
Mon, May 15th 2017 7:46p   Rene Winkelmeyer
Part of the Salesforce and IBM partnership is showcasing to our developer audiences about how and where solutions can be combined. As first element of this an example about how to use The Weather Company Data in Salesforce got published today. More to come! Enjoy!
38
engage.ug recap, my Salesforce/IBM slide deck and DevoxxUK
Sat, May 13th 2017 7:39p   Rene Winkelmeyer
Last week was a busy week. I presented at engage.ug in Antwerp about the Salesforce and IBM partnership for developers and I attended Devoxx UK in London (partially). engage.ug Hilde and Theo created again a great event on May 8th and 9th. Brand new venue (a zoo, literally), many sessions, and taking care of the attendees at the highest level possible. It was fun to see many familiar faces, especially after a long time, especially after I left that part of IT around a year ago behind me. It w
7
Find me speaking in Antwerp and London in the next two weeks
Thu, May 4th 2017 6:27a   Rene Winkelmeyer
I’ll be heading to Antwerp and London (twice) in the next two weeks and will give talks about various topics around the Salesforce platform. On May 8th and 9th you’ll find me at engage in Antwerp, Theo’s premier user group event around IBM Collaboration Solutions. There I will give a talk about the Salesforce and IBM partnership from a developers perspective. Right after that I’m attending Devoxx UK in London, which will be fun given the great line-up of speakers. A
4
My first year of riding the Salesforce wave
Mon, May 1st 2017 6:23a   Rene Winkelmeyer
I cannot believe how fast my first year with Salesforce passed by. It was May 1st 2016 was when I joined Salesforce. Here are a few highlights that happened in that time: Speaking at numerous user groups and conferences in Europe and the US Created several open-source contributions to enhance the Salesforce Developer Experience Crafted content for the developer.salesforce.com blog Made the Trailhead Zone at Dreamforce 2016 accessible for vision-impaired people Created and run a kids coding a
2
My first year of riding the Salesforce wave
Mon, May 1st 2017 5:03a   Rene Winkelmeyer
I cannot believe how fast my first year with Salesforce passed by. It was May 1st 2016 was when I joined Salesforce. Here are a few highlights that happened in that time: Speaking at numerous user groups and conferences in Europe and the US Created several open-source contributions to enhance the Salesforce Developer Experience Crafted content for the developer.salesforce.com blog Made the Trailhead Zone at Dreamforce 2016 accessible for vision-impaired people Created and run a kids coding a
7
Happy Birthday Albert Einstein – and Salesforce Einstein Vision!
Tue, Mar 14th 2017 3:57p   Rene Winkelmeyer
Today is Albert Einstein’s birthday – and we at Salesforce are GA’ing Einstein Vision. See our developer summary page here on the Salesforce Developer website. The site links to all needed documentation. There are also two fun trails on Trailhead: Getting Smart with Salesforce Einstein Predictive Vision Service If you want to explore Einstein Vision using Java or Swift… well, you don’t have to build it your own. Checkout my GitHub repos for the Swift and Jav
3
Chances are your next job will require Salesforce skills
Fri, Feb 10th 2017 11:29a   Rene Winkelmeyer
A new Burning Glass report showcases that the job market for people Salesforce skills grows 1.3times faster than the overall market. And that Salesforce skills are the 7th highest tech skill in demand (ahead of .Net or C++ i. e.). Read the summary on Medium. The full Burning Glass report can be accessed here. Want to learn Salesforce – go to Trailhead!
4
Meet me in Prague on Feb 16th if you want to hear about Lightning and SalesforceDX
Tue, Feb 7th 2017 9:55a   Rene Winkelmeyer
Next week I’m joining the Salesforce User & Developer Group in Prague for their February meetup to speak about Lightning and SalesforceDX. A hot topic for developers across all audiences is how get the most out of the available frameworks and technology in their day-to-day work. That includes, but is not limited to, having a great development experience in terms of tools and workflows. During the meetup we will address both needs by talking about Lightning and SalesforceDX.
4
Speaking at London’s Calling about Salesforce Einstein
Tue, Jan 3rd 2017 12:25p   Rene Winkelmeyer
I’m happy to announce that you can find me on February 10th at London’s Calling – Europe’s largest community led event for Salesforce professionals. The event will take at CodeNode (last year a badger has been seen there). I’ll speak about why, where and how to use the Predictive Vision service on the Salesforce Einstein platform. Do you have visions? Good – Einstein can help! Artificial Intelligence (AI) is one of the big buzzwords nowadays. It is an




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition