Looking for information about TrueContext features and functionality? Visit our Product Documentation Portal.
Background
The ProntoForms server uses a TLS certificate signed by Entrust to provide TLS encrypted interaction with client applications and web browsers. Entrust is a widely trusted Certificate Authority, participating in most industry accepted public root stores as a Root Certificate Authority.
This means that client applications which implement TLS using industry standard libraries will be able to trust certificates issued by Entrust (e.g., prontoforms.com) by default.
Problem description
In certain use-cases, applications can be designed to only trust a handpicked selection of certificates. In such situations, client applications need to obtain the public TLS certificate of a domain they trust (e.g., prontoforms.com) and add it to their internal “trust stores”.
This way, when the application attempts to establish a TLS connection with a host, it can match the server certificate with an existing certificate in its own trust store to determine the authenticity of the host.
When maintaining such trust stores, a common situation arises when an existing server’s TLS certificate nears its expiration and the server’s administrator decides to replace the existing certificate with a renewed certificate.
Client applications which implement TLS using industry standard libraries will have no impact, as they will be able to trust the new certificate (assuming the new certificate is also issued by a trusted root CA). However, the more restrictive custom managed trust store reliant applications will find themselves in a situation where the new server certificate is not part of their trust store, hence they will not be able to establish TLS encrypted connectivity with this server.
Recommended Solution
Phase # |
Timeline |
Server Admin Actions |
Client Application Admin actions |
Impact on Client App TLS connection with server |
1 | Before server certificate replacement window |
|
|
No impact |
2 | During server certificate replacement window | Perform the necessary steps to replace the expiring certificate with the renewed certificate | No action needed | No impact |
3 | After server certificate replacement window | Remove the temporary test server subdomain | Remove the expired public certificate | No impact |
Test Subdomain
This subdomain URL will be enabled temporarily at the beginning of Phase 1, to allow client application administrators to perform any internal testing. It will be pointing to the same back-end services as the regular server URL. However, it will be using the renewed TLS certificate.
Regular URL example: https://api.prontoforms.com/api/1.1/users.json
Test URL example: https://verify.prontoforms.com/api/1.1/users.json
Client applications can test TLS connectivity with the renewed certificate by replacing Prontoforms server URL subdomain with the provided test subdomain.
Further information
If you have a client application which interacts with a prontoforms.com server, please get in touch with ProntoForms support who will be able to provide you information about any upcoming server certificate replacement windows.
Comments
0 comments
Article is closed for comments.