Secure Sockets Layer (SSL) is an encryption technology that creates a secure connection between a web server and a client's web browser. Information that is transmitted must be encrypted to prevent security issues such as eavesdropping or data tampering. An SSL web certificate is purchased from a Certificate Authority and installed on the web server to enable encryption.
The SSL web certificate authenticates the identity of a web site and encrypts information passed between the web server and the web client using Secure Sockets Layer (SSL) technology. The use of an SSL web certificate on a website is usually indicated by a padlock icon in web browsers, but it can also be indicated by a green address bar. After an SSL web certificate is installed on a website, users can be sure that the information that they enter such as contact or credit card information, is secured and only seen by the organization that owns the website.
SSL encryption is required between the MiCollab servers and MiCollab for Mobile phone users because sensitive user information and configuration data is transmitted during the deployment of the clients. The SSL web certificate ensures that the MiCollab for Mobile clients establish secure connections during deployment.
To support the MiCollab Client deployment, you must purchase a signed SSL web certificate from a third-party Certificate Authority (CA) such as Entrust or GoDaddy. This involves generating a certificate signing request (CSR) on the MiCollab or MBG server and submitting it to the CA. The CA will then return a package containing your web server certificate, plus any intermediate certificates that are required to maintain the certificate key chain. You then import the certificate and any required intermediate certificates onto the MiCollab and MBG servers. The third-party SSL web certificate allows MiCollab for Mobile Client users to establish connections and receive their deployment configurations.
Information about different certificate chains must be obtained from the issuer. You must read and understand the certificate installation instructions from your certificate vendor. Normally they should be e-mailed to you whenever you receive the signed certificate from them.
Using Third-Party SSL Web Certificates
You can import third-party SSL web certificates in either PEM or PKCS#12 format:
PEM certificates typically have extensions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format. Apache and similar servers use PEM format certificates. Several PEM certificates, including the private key, can be included in a single file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.
PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
The MSL operating system supports the SHA-2 cryptographic hash function, along with variants such as SHA-256.
About TLS
MiCollab and MBG might require multiple hostnames, especially if the services are running on multiple servers. For most deployment scenarios a certificate that is valid for multiple names is required. One SSL key plus the certificate must be used on multiple MSL servers (for example, MBG and MiCollab).
In most of the deployments, the MBG must host multiple domain names, so it is mandatory to have a certificate which includes all the required DNS names.
SSL Web Certificate Options
| Wildcard Certificate | Extended Attributes |
|---|---|
| This is probably the easiest way, especially if there is already a certificate available, e.g *.example.com.
Advantage: Other hosts and nodes can be added later without reissuing the certificate. Disadvantage: Slightly more expensive than a single certificate. |
Use of the x509 v3 Extended attributes (as described below). Multiple DNS names can be included in the certificate request. Many CAs allow up to 15 names. Advantage: Sometimes a second name makes only a little or no price difference. Disadvantage: Adding another DNS name requires reissuing the certificate. |