6 Appendix C

Certificates

Security with Secure Sockets Layer (SSL) or Transport Layer Security (TLS) are based on trust. A computer is allowed to establish a secure connection to a service because the service presents a digital file (certificate) that is digitally "fingerprinted" by a Certificate Authority (CA).

The CA has the responsibility of verifying that applicants for a certificate are who they say they are. A CA uses a private key to sign every certificate they issue (the aforementioned fingerprint), so that every certificate they issue can be traced back to them. This works by using the CA's public key to validate that a certificate is indeed valid. Services are deployed, by default, with demo certificates.

Most browsers have a trust store that is configured with the necessary fingerprints for CAs that you would need.

Note:

The demo certificate that ships with Documaker is not a trusted CA; it is self-generated. As such, the hostname of the certificate will not match the hostname on the connection
In order for a browser to connect successfully to websites with SSL, (e.g. using HTTPS scheme in URL), one (or more) of the solutions can be used:
  1. All users' browsers must have the trust store configured with the public key of the root certificate used to generate self-signed certificates, and all services secured by SSL must use certificates generated signed this root certificate.

    This is usually an acceptable solution when the number of users is small, or the company has desktop configuration via push enabled, or when the company generates their own internal self-signed certificates to use for non-public facing services.

  2. All users' trust stores can be modified to trust the demo certificate.

    This is usually an acceptable solution in short-lived non-production environments.

    It is not recommended to add the demo certificate to user trust stores, as a malicious user could compromise the secure connection by presenting a certificate signed with the same demo root key.

  3. Services are configured with certificates issued by CAs that are in the shipping trust store of common browsers. This is usually the solution where services will be public facing. This can be expensive and cumbersome as certificates are issued to specific host names. However, it is almost universally sufficient.

Information on Secure Socket Layer is also available in the Documaker Enterprise Security Guide