How does the SSL connection in Password Depot Enterprise Server work and which settings are required?

Follow

Password Depot Enterprise Server allows you to install and use an SSL certificate.

Warning: Installation should be performed by an experienced administrator only.

Hint: Since version 15.2.x the Enterprise Server does only work with certificates in PEM format. The server uses now OpenSSL 1.1.1.j with TLS1.3. We have implemented a procedure of automatic conversion of your installed PFX or CRT certificates to the PEM format, which may require an additional restarting of the Password Depot Server after the first run. If the server still cannot load the SSL certificate after restart you have to convert your existing certificate into the PEM format manually. Please click here for detailed instructions.

Password Depot Enterprise Server supports X.509 SSL certificates in PEM format. Using a certificate, users can verify the identity of a server before sending confidential information.

Prior to using SSL connections, please note the following:

1) SSL does not encrypt data transmitted from the clients to the server. This data is always strongly encrypted by the internal protocol implemented via TCP/IP. 

2) For cross-platform compatibility, we need to use the OpenSSL library, which has some limitations and is not recommended by Apple on systems such as iOS and macOS.

3) Using self-signed certificates is pointless and thus not recommended. Only certificates signed by a known CA (Certificate oder Certification Authority) can be used to validate Password Depot Enterprise Server. If you already have a Web server that runs on HTTPS, using its SSL certificate is a suitable solution. Otherwise, you may need to order a new SSL certificate from one of the recognised Certificate Authorities.

4) To use SSL connections, you must install a valid SSL certificate issued by a recognized Certificate Authority. The Enterprise Server can generate a dummy certificate to test the SSL connection if no other certificate is available. In practice, however, the dummy certificate is useless because it can easily be falsified by third parties.

5) The use of SSL is not recommended in local and internal networks, as all data transfers between the server and the clients are already strongly encrypted. The use of SSL does not significantly increase the security of data transmission, but allows server validation and helps prevent Man-in-the-Middle (MITM) attacks. This feature can be useful in external networks when clients can connect to the server from anywhere. 

6) If you choose to use SSL connections, please make sure that all clients (Windows, macOS, Android and iOS as well as the web interface) use SSL! Mixed connections (partly SSL and partly standard TCP/IP) are not allowed

7) To install an SSL certificate (go to the Server Manager and click Manage -> Server settings -> General -> Install Certificate), you must enter the following:

  1. The fully qualified path to the certificate file on the server.
  2. If the above certificate contains both public and private keys, please enter the fully qualified path to the certificate file on the server again. If the private key is stored in a separate file, specify the full path to the private key here.
  3. The password for accessing the private key.


Restart the server to load the certificate and start SSL connections.

 

A certificate's private and public key

The private key is a secret part of the certificate. The owner must keep it secure since it is like a personal signature. The Enterprise Server signs the data with this personal signature and this is the only way to determine if the data sent originated from the right source.

On the other hand, the public key is available for everyone. It is used to compare the data you receive and check the signature.

Thus, the public key does not have any impact if used without an additional private key. Everyone may have this public key but for the server the private key is the main part.

 

Hint: The procedure for installing a REST server certificate is the same as mentioned above. To do so, open the Server Manager, activate the option Use SSL/TLS for REST Server and start the installation by clicking Install Certificate next to it.

4 out of 4 found this helpful

Comments

0 comments

Please sign in to leave a comment.