How to Configure Certificates for Online Apps

In this article

    How to work with certificates when building applications for SuperOffice CRM Online.

    Introduction

    Public Key Infrastrure (PKI) certificates are absolutely necessary in todays' connected world. SuperOffice CRM Online requires that all applications support a secure SSL environment, and this article will cover the various way of ensuring your applications are able to exchange information with SuperOffice CRM Online in a safe and secure manner. This article will cover how to configure your certificates in a Windows certificate store, as well as demonstrate other alternatives when that's not an option.

     

    Installing Certificates in Windows Certificate Store

    Certificates are necessary to validate SuperOffice CRM Online issued tokens to partner application for the three online environments: SuperOffice Online Development (SOD), Stage and Production.

    The different environments have different certificates used for signing and validating security tokens. In Figure One, each of the “SuperOffice CRM {Environtment} Federated Login” signing certificates are linked to a shared “SuperOffice Online {Environment} CA” environment certificate. All the environment certificates are generated from a linked “SuperOffice Online Root CA”.

    Figure One: SuperOffice Certificate Hierachy.

     

    Included in the certificates download, available on the Example Downloads page, you will discover the three certificates necessary to have installed on the application machine.

     

    Figure Two: SuperOffice Online Development environment certificates.

     

    By the end of this section you will be able to open up the SuperOffice Online Development Federated Login certificate and observe the Certification Path as seen in Figure Three. This is the easiest way to verify the certificates have been configured correctly on the machine where the application resides.

     

    Figure Three: SuperOffice Online Development Federated Login certificate Certification Path.

     

    Installation Procedure for SuperOffice CA Certificates


    1) Start->Run: mmc.exe

     

    2) Click File->Add/Remove Snap-in

    3) Select “Certificates”

    4) Click Add

     

    5) Select “Computer account”.

     


    6) Click Next

    7) Choose Local computer


    8) Click Finish


    9) You should now see the following screen with “Certificates (Local Computer) on the right pane.

     

     

    10) Click OK

    11) Right click on Trusted Root Certification Authorities

    12) Click All Tasks->Import

    13) You should now see the following screen:



    14) Click Next
    15) Select SuperOfficeRoot.crt file from disk

     

    16) Click Next

    17) Make sure Place all certificates in the following store is selected. Click Next.

     

    18) Click Finish

     


    19) Repeat steps 11 – 18 with SuperOffice{Environment}.crt certificate.


    Installation Procedure for Remaining Certificate

    1) Repeat the steps 1-11, start with a right-click on Trusted People.

    3) Click All Tasks->Import

    4) Repeat steps 13 - 18 with SuperOfficeFederatedLogin.crt

     

    Troubleshooting

    Verify that the certificates are installed correctly by open mmc.exe, add the certificated snap-in and select computer store. Select the certificates folder of Trusted People. Identify the correct Federated Login certificate and verify the certificate path, as seen in Figure Three.

    Validate that the thumbprint of the certificate is correct:

     

    With the certificates properly configure, your application will now be able to validate all SAML and JWT tokens issued by SuperOffice CRM Online.

     

    Conclusion

    This article demonstrated how to setup SuperOffice CRM Online certificates on Windows. This procedure must be completed on all machines that will be hosting your application for, all environments, development, stage and production.

    What do you do when your application is hosted in an environment where you do not have access or permissions to install certificates in the Windows certificate store? In this case you must programmatically override the certificate resolver and provide the location on disk where the SuperOfficeFederatedLogin.crt certificate resides. For this scenario, see the Overriding Certificate Resolver article.