TLS Configuration
Server Certificate File
Here you should Select a certificate file to use for the server. If you do not have one you can use the Create option to create a self signed certificate.
The file should be a X509 certificate file in PEM format. MIS Communicator uses OpenSSL to perform TLS connections, you can read more information about the certifcate file in OpenSSL documentation for function PEM_read_X509().
Note that if you use a self signed certificate, the client cannot validate that the server he is connecting to is the real server and that you are not connecting to a fake server and that you can potentially be sending information to an unknown entity. You can overcome this problem however if you use certificate pinning on the client side to validate the Certificate Fingerprint or Public Key Fingerprint.
Certificate Password
Here you should enter the certificate password so that MIS Communicator can read the certificate file if it is encrypted.
Minimum TLS version
This option allows you to specify a minimum TLS protocol version to 1.2 for example, if you wish to prevent the use of older versions of the TLS protocol. But do note that the client must support the protocol level specifed in this parameter.
Expiration
This field is read only, it tells you the expiration date on the certificate file selected.
If the server certificate is expiring and you are using a self signed certificate, you can use the Renew option to generate a new certificate. The Renew option in MIS Communicator will use the same Public Key to generate the new certificate, so it will allow you to Pin on the Certificate Public Key.
Certificate Fingerprint
This field is read only, it is the certificate fingerprint that you can use in your client App to perform server certificate pinning.
Server Certificate Pinning is a technique that allows the client to say that the only server it will trust is the server that has the certificate with this fingerprint.
It is very useful if it is important for you to validate the server authenticity, and prevent your client application from connecting to fake servers. You can use this value directly in Kalipso when configuring your TLS connection.
Public Key Fingerprint
This field is read only, it is the certificate public key fingerprint that you can use in your client App to perform server certificate pinning.
It can be useful to use this, if you renew your certificate when it expires, and if you renew the certificate by using the same public key, then you do not need to reconfigure the client applications to accept a new certificate fingerprint, because if the public key does not change, then the fingerprint for the public key will also be the same.
Require Client Certificate
If you enable this option, you are adding an extra layer of security into MIS Communicator. By doing this, when a client tries to connect to MIS Communicator it will have to perform two authentications, one is to provide the password configured in the Connection Properties, and the other is to provide a valid client certificate, issued by a CA (Certificate Authority) in the Authorized CA List File parameter.
You can use the Create Client Certificate button to create a new certificate to use in your clients.
Authorized CA List File
This is the file that has the list of CAs that are authorized to issue client certificates. It can be the same file specified in Server Certificate File.
When a client tries to connect to MIS Communicator, it has to provide a client certificate and it will be checked if the CA that issued that certificate is in this file. If not, that will happen if an attacker is trying to use its own certificate, the connection will be refused.
Last updated