Discover our products
KONNEKTKONNEKTRADIUSaaSRADIUSaaSRealmJoinRealmJoinUnified ContactsUnified ContactsTerraProviderTerraProvider
Start now
Discover our products
KONNEKT
Work with your local office 365 data
RADIUSaaS
Authentication for your network
RealmJoin
Cloudbased Software distribution
Unified Contacts
Find contacts in Microsoft Teams
TerraProvider
Terraform Provider for Microsoft 365

Certificates for your internal servers

Reasons why you need certificates for your servers

  1. Authentication:
    • Certificates verify the identity of a server. When a client (such as a web browser) connects to a server, the server presents its certificate.
    • The client checks if the certificate is trusted (issued by a recognized certificate authority) and whether it matches the server’s domain.
    • This process ensures that clients connect to the right server, preventing man-in-the-middle attacks.
  2. Encryption:
    • Certificates enable secure communication by facilitating encryption.
    • The server’s certificate contains its public key. Clients use this key to encrypt data before sending it to the server.
    • Only the server’s private key can decrypt the data, ensuring confidentiality.


How are certificates used in web-servers?

Transport Layer Security (TLS) certificates, also known as Secure Sockets Layer (SSL) certificates, play a crucial role in securing internet browser connections and transactions through data encryption. Let’s dive into how they work:

TLS/SSL Handshake

  • When you visit a website, an invisible process called the TLS/SSL handshake occurs nearly instantaneously.
  • The web server and your browser communicate to establish a secure connection.
  • Websites secured by a TLS/SSL certificate display HTTPS and a small padlock icon in the browser address bar.


Components of an X.509 Certificate

  • Each TLS certificate consists of a key pair: a public key and a private key.
  • These keys interact behind the scenes during website transactions.


The Handshake Process

  • When you direct your browser to a secured website:
    • The website server shares its TLS/SSL certificate and public key with your browser.
    • Your browser verifies the following:
      • Recognizes and trusts the Certificate Authority (CA) that issued the SSL certificate (e.g., SCEPman).
      • Ensures the certificate is unexpired and unrevoked.
    • Your browser sends back a symmetric session key to the server.
    • These keys interact behind the scenes during website transactions.
    • The server decrypts the session key using its private key.
    • An encrypted session begins, protecting message privacy, integrity, and server security.


In summary, TLS/SSL certificates ensure secure communication, authenticate website identities, and safeguard data during transmission. They are the backbone of trust and security on the internet.


How are certificates used in VPN controllers?

Certificates are the backbone of secure VPN communication, enabling trust, encryption, and seamless connectivity. They ensure that your VPN experience remains both private and reliable.

Authentication and Trust

  • VPN controllers use certificates to authenticate themselves and other network components.
  • When a VPN client connects to a server, the server presents its certificate. The client verifies this certificate against trusted Certificate Authorities (CAs).
  • By using certificates, VPN controllers establish trust, ensuring that clients connect to legitimate servers and preventing man-in-the-middle attacks.


Encryption and Confidentiality

  • Certificates facilitate encryption within VPN tunnels.
  • The server’s certificate contains its public key, which clients use to encrypt data before sending it.
  • Only the server’s private key can decrypt the data, ensuring confidentiality during transmission.


Secure Communication Channels

  • VPN controllers rely on certificates for IPsec and TLS communication.
  • Certificates enable secure communication between VPN gateways, domain controllers, and member servers.
  • This ensures that data exchanged within the VPN remains protected.


Reduced Maintenance Overhead

  • Certificates reduce the need for frequent changes compared to pre-shared keys.
  • VPN controllers can use the same certificate for multiple connections, simplifying management.


Corporate Compliance and Monitoring

  • Corporate VPNs often require certificates to comply with security policies.
  • Certificates allow monitoring and auditing of VPN traffic, ensuring compliance with organizational rules.


Client Authentication

  • Some VPNs use client certificates for two-way authentication.
  • This ensures that clients are also authenticated before accessing specific resources.


Which devices are using certificates for server authentication?

  • Web servers (e.g. AAA/RADIUS servers)
  • Network components (e.g. VPN controllers)
  • Domain controllers


How can I issue certificates with SCEPman?

To issue certificates with SCEPman, you have a couple of convenient options at your disposal:

  • Via Web Console: You can issue certificates by either submitting a Certificate Signing Request (CSR) or opting for manual input directly through the SCEPman web console. This approach offers flexibility and ease of use, catering to different preferences and requirements.
  • Via REST API: For automated processes or integration with other systems, SCEPman also supports issuing certificates through its REST API. This method allows for programmable certificate issuance, making it a powerful tool for streamlining your certificate management workflow.


How can I issue certificates with SCEPman?

To renew certificates with SCEPman, you have several options to ensure your certificates remain up-to-date:

  • Via EST (leveraging mTLS "simplereenroll"): Utilize the EST (Enrollment over Secure Transport) protocol, taking advantage of the "simplereenroll" feature, which leverages mutual TLS (mTLS) for authentication. This method provides a secure and automated way to renew certificates, streamlining the process while maintaining high security standards as no shared secrets or challenges must be published to your servers.
  • Via SCEP Client and a Scheduled Task: Automate the renewal process by using a SCEP client in conjunction with a scheduled task. This setup automates the renewal process, ensuring certificates are renewed according to the schedule you set, without requiring manual intervention.
  • Manual Renewal: You can manually renew certificates through SCEPman. This method allows for direct control over the renewal process, ensuring you can manage certificates on an as-needed basis.