MobiLink Synchronization User's Guide
Transport-Layer Security
About transport-layer security
A certificate may be signed by other certificates, or it may be self-signed, which means it is signed only with its own private key. A sequence of public certificates, each signed by the next, is called a certificate chain. At one end of a typical chain is a certificate used for a particular MobiLink synchronization server. At the other end is a certificate, signed by no other certificates, called the root certificate.
You can arrange certificates in various ways, depending on your requirements. The following sections describe how to construct and use certificate chains to achieve particular security goals. The following topics are covered:
If you have only a single server, the simplest setup is to create a self-signed certificate. The only disadvantage is that the private key for the certificate must be held on the synchronization server, where it is harder to protect.
An enterprise root certificate is of particular benefit to organizations using more than one MobiLink synchronization server. In this setup, MobiLink clients need keep only a copy of this root certificate to recognize any MobiLink synchronization server issuing a certificate signed by this root certificate.
Commercial certificate authorities can benefit organizations that require the utmost in security. These organizations can help in two ways. First, the root certificates they use are of the highest possible quality, making these certificates somewhat less prone to attack. Secondly, commercial certificate authorities can provide a trusted third party when two companies wish to communicate securely but are not familiar with each other.
You can, and in some cases should, use the facilities provided to verify certificate fields. This precaution is appropriate in many scenarios, but is particularly so when using a globally signed certificate. In this case, you are unlikely to want your clients to trust certificates that your certificate authority has signed for other customers.
In all cases, you must ensure that the MobiLink command line and log file are secure. This is best done using a firewall and by otherwise limiting access to the computer running the MobiLink synchronization server.
MobiLink transport-layer security is a flexible mechanism that lets you achieve the security important to your setup. The basic system allows you to keep information private, while certificates ensure MobiLink clients that they are talking to a trusted MobiLink synchronization server.