What are certificate roles, why are they important?
Let’s get back to basics: How does your application know that the resource it’s accessing is truly www.your-company-domain.com
?
Well, during the connection’s negotiation, the remote service presents its certificate which roughly has two interesting parameters:
But how do we trust the issuer? Well, the issuer also has an issuer of its own, and this goes all the way up to an issuer that’s trusted by the platform on which your application runs.
The certificate presented by the server is called a “leaf” certificate, while each issuer is called a CA (Certificate Authority). These are, in essence, the roles of these certificates.
For example, the “chain-of-trust” in a normal connection might be:
*.your-company-domain.com
signed by “Go Daddy Secure Certificate Authority – G2”However, there no functional difference between certificates, regardless of their roles. So while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. This makes the following chain also 100% correct:
*.your-company-domain.com
signed by *.malicious-domain.com
*.malicious-domain.com
signed by “Go Daddy Secure Certificate Authority – G2”So your application could blindly trust a connection to www.malicious-domain.com
, thinking it iswww.your-comany-domain.com
.
So how can this be enforced? Very simple, just include in each certificate information about its role. This is a common extension called “Basic-Constraints”.
The catch is that if a certificate does not have this extension, an SSL(TLS) implementation won’t enforce it.
This is why it’s important to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain.
Implementing and especially maintaining such measures is a difficult task. Sometimes the source code is not available, and more often the services are on uncontrolled endpoints.
Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement Trusted Session Inspection to any mobile app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement Certificate Roles Enforcement. Certificate Roles Enforcement can be added to any iOS or Android app in seconds, with no code or coding.
Follow these step-by-step instructions to add Certificate Roles Enforcement:
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
The technology behind Build My App has two major elements – (1) a micro-service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Enforce Certificate Roles.
After you have added Enforce Certificate Roles to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.
Please view the article here on How to Complete My Mobile Integration Project After I Build My App.
That is it – Your applications will now reject any communication that does not meet the recommended version requirements.
You can read more about CA certificates here.
If you are interested in limiting other aspects of TLS, you should check out how you can Enforce Communications’ Cipher Suites.
You can also enforce the version of the TLS protocol.
This feature is just one of many offered in the course of Trusted Session Inspection.
To zoom out on this topic, visit Appdome for Mobile App Security on our website.
If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.
Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.