You are viewing limited content. For full access, please sign in.

Question

Question

encrypt in transit

Version 10 Forms Security
Updated August 2, 2021
asked on August 2, 2021

LF Help documentation in reference to SSL/TLS states following 

Client Certificate Requirements: The Client computers must have a valid trusted root authority certificate. This may be in the Local Computer's certificate store, in which case the certificate can be used by all users, or in the current user's certificate store, in which case it can be used by the current user only. In either case, it must be in the "Trusted Root Certification Authorities" certificate folder.

 

If I'm using a publicly available form, does the member of the public's computer have to have a certificate?  that would seem an impossible barrier.  

 

Thanks for any guidance,

0 0

Replies

replied on August 2, 2021

No it does not. I believe the part of the help file that you are referencing is related to digital signatures in the repository.

3 0
replied on August 2, 2021

It looks like this is the documentation page you're referencing: https://doc.laserfiche.com/laserfiche.documentation/11/administration/en-us/Default.htm#../Subsystems/LFAdmin/Content/SSL_TLS_Client.htm

The following is a detailed explanation if you're interested and aren't very familiar with how certificates work (most people aren't). If you simply want the short answer, it's "the public Forms server must have a web server TLS certificate from a publicly trusted Certificate Authority bound to port 443 for HTTPS".

Clients validate TLS certificates by checking what's known as a "chain of trust", which starts with your certificate, has some number of "Intermediate Certificates" in the middle, and ends with a "Root Certificate Authority".

By way of analogy: Your drivers license/ID (certificate) is issued by the state DMV (intermediate cert) which is given its authority by the State Govt. (root cert authority). In order for other people to trust the validity of your ID, they need to (a) see that it was issued by the DMV/state, and (b) trust the DMV/state (intermediate and root certs). The first attribute is what makes your govt-issued ID different from a fake ID. When someone checks your ID, they accept it because they acknowledge the legitimacy of the parties who issued it, not because they have a list of every valid ID.

So how does this relate to TLS/HTTPS with websites, like your public Forms instance? It means that you need to ensure your public-facing website has a certificate issued by a publicly-trusted Certificate Authority (CA). Publicly-trusted CAs are those that most operating systems and browsers trust by default, like Digicert, Sectigo, Let's Encrypt, etc. When you visit google.com, amazon.com, or any other public website over HTTPS and don't receive a TLS certificate warning, that's because those websites are using certs issued by publicly-trusted CAs.

By way of example, here's a certificate issued by the public CA DigiCert showing the issuing chain:

Because nearly every computer in the world trusts that DigiCert root certificate by default, all you need for secure HTTPS communication to your public Forms instance is a similar certificate bound to port 443 in IIS on your Forms server.

1 0
replied on August 2, 2021

thank you.  helpful.  

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...