SSL connection certificates
The connection between clients and the server is secured via an SSL certificate. The latest encryption standard TLS 1.2 is used here. It is also possible to create a certificate via the server, as well as to use an existing certificate with a CA. All computers on which a client is installed must trust the certificate. Otherwise, the following message will appear when the client is started:
This connection is not trusted!
The connection to the server is not considered secure.
Structure of certificates
The following information applies to both the Password Safe certificate and also to your own certificates:
Communication between the client and server can only take place using the path that is stored in the certificate with the alternative applicant. Therefore, the Password Safe certificate stores all IP addresses for the server, as well as the hostname. When creating your own certificate, this information should also be saved under the alternative applicant.
Using the Password Safe certificate
Distributing the Password Safe certificate
In order for the certificate to be trusted, it can be exported to the server and then imported to the clients. The following storage location needs to be selected here:
local computer -> trusted root certificate location -> certificates
The certificate can be rolled out and distributed using group guidelines.
Manually importing the Password Safe certificate
If the Password Safe certificate is not rolled out, it is also possible to manually import the certificate. To do this, firstly open the certificate information. In the warning notification, the Show server certificate button is available for this purpose. In the following dialogue, select the option Install certificate…
A Certificate import wizard will open in which Local computer should be selected.
In the next step, the storage location “trusted root certificate location” needs to be manually selected.
Finally, the installation needs to be confirmed once again.
Using your own certificate
If a CA already exists, you can also use your own certificate. You can specify this within the . Please note that a server certificate for SSL encryption is used here. The CA must be configured so that all clients trust the certificate. It is necessary to adhere to the certification path.
Wildcard certificates are not supported. In theory, it should be possible to use them, but we cannot help with the configuration. You can use wildcard certificates at your own responsibility.
A unique certificate is created for each database. This is named “psrKey” followed by a unique GUID. For example: psrKey_25717957-fcc1-e611-9953-c86000c4a2aa
The database certificate does not encrypt the database. Rather, it is used for the encrypted transfer of passwords from the client to the server in the following cases:
- Creation of a WebViewer via a task
- Creation of an AD profile protected by a master key
- Login of users imported from AD in Master Key mode
Certificate for Master Key mode
If Active Directory is accessed via Master Key mode, a certificate will also be created. The nomenclature corresponds to that of the database certificates.