1 person found this helpful
Which part are you having trouble with?
Here is some generic info on generating self-signed certificates: http://www.akadia.com/services/ssh_test_certificate.html
Adding the cert to the system's trust store depends on the user's OS, so I can't help you much there.
I don't know what it means to install the certificate into the system trust store on the client.
Client doesn't refer to the client app, but the client machine and so OS?
That is how I understand it to work, but I'm hardly an expert on the matter.
I found this for Windows 7: http://msdn.microsoft.com/en-us/library/ms172241(v=vs.90).aspx
Since the article you referenced in your first post does not mention any specific steps to take, I am assuming it is referring to the same process as that link describes.
Updated link to : http://msdn.microsoft.com/en-us/library/ms172241(v=vs.90).aspx
I guess my problem is that I am using a self-signed certificate and because it's a desktop app, I can't check "trust certificate" like I would in the browser.
Any idea how to make my app just accept a self-signed certificate from the server I control?
Probably at OS level though.
You mean not use TLS authentication?
I thought the point was so that only trusted clients can connect to the server...
No, no, I want to use TLS, just not show the certificate warning (self-signed) and have to install it to trusted.
1 person found this helpful
TLS auth means that no one can use the app (or it's protected services actually) unless they have installed the certificate you have provided them. I think it's mostly used as a way to control distribution, or to provide an extra layer of security.
Automatically providing the cert through the use of the app defeats the purpose of TLS auth, which is why I am a bit confused. The fact one has to install the certificate on their local machine is a feature, not a bug.
I'm using it to send and receive encrypted data over the internet to prevent sniffing.
If the certificate is signed by a recognized authority it's automatically installed as trusted so no user prompt.
I wanted to get the same with a self-signed one.
If I understand you correctly, you just need to set up an SSL connection, and don't need a TLS Authentication scheme (IE. you are not distributing a certificate to your users as a means to control access).
You're hitting the same roadblock as anyone who wants to use SSL without a certificate signed by a CA authority. Essentially, the user needs to install your cert as trusted, or be warned about it's lack of authenticity.
So if it's self signed, you can't skip the warning message.
Didn't know you could distribute TLS Auth to control access.
That's probably done at OS level and should work with any app, including AIR apps.
Any idea where I could read up a bit about this?
I don't know of any reading material off the top of my head (other then the original link you posted). You are correct in that it's done at the OS level, and is not specific to AIR.
Basically, the practice is to "sign" the client so only clients with a valid signature can access the remote services. Usually (for me at least) when someone says "TLS Authentication", they are referring to this practice, which is why I was a bit confused at first.
Personally, I think the whole thing is a big waste of time, but I suppose there are a few fringe cases where the added effort would pay off.
Thanks a lot, drkstr_1. It's much clearer now.
Out of curiosity, why would you say client auth is a waste of time?