SSL certificates for Zoho Creator On-Premise
Enterprises secure the communication between clients and servers, both internal and external, using digital certificates. These certificates provide authentication and help protect the data that’s exchanged between the client and server machines.
For trial purposes, Zoho Creator On-Premise comes bundled with a self-signed certificate. Though usable, this certificate is not safe enough.
Note:
- We strongly recommend that you use a valid SSL certificate obtained from a trusted Certificate Authority (CA), especially before moving to the production stage.
- If you've hosted Creator on a local domain, you can still use the self-signed certificate generated from your organization-based customized CA. This self certification cannot be trusted until the same is deployed in every client server. This vouches for a secured connection that is valid inside your organization,
- Risks of using self-signed certificate
- Security alert in mobile app upon connecting to self-signed hosts
Risks of using a self-signed certificate
Though the self-signed certificate is usable, a valid SSL obtained from a trusted CA is a must-have security measure. Below are the potential risks of continuing to use the self-signed certificate:
- If you've hosted Creator on a public domain, this self-signed certificate cannot prevent attackers from impersonating application users and stealing information like user credentials and session cookies. Instead, you can get a valid SSL certificate obtained from a trusted Certificate Authority (CA) such as Let's Encrypt.
- Advising your employees to ignore this warning can encourage dangerous public browsing behavior. Employees accustomed to ignoring warnings on internal sites may be inclined to ignore warnings on public sites as well, leaving them, and your organization, vulnerable to malware and other threats.
Security alert in mobile app upon connecting to self-signed hosts
For trial purposes, Zoho Creator On-Premise is bundled with a self-signed certificate. Though usable, this certificate is not secure enough. Until you use a valid SSL certificate issued by a trusted Certificate Authority (CA), end users will see a security alert when accessing the Creator host via mobile apps.
- If you're an end user:
- If you're seeing this alert while using our Android or iOS app, you can notify your IT administrator about this.
- Meanwhile, you should be aware that there are potential security risks while accessing an insecure server. Attackers could intercept your connection to the server and steal your information like passwords, credit card details and other credentials.
- If you're the admin:
- If you've hosted Creator on a public domain, this self-signed certificate cannot prevent attackers from impersonating application users and steal information like user credentials and session cookies.
- Advising your employees to ignore this warning can encourage dangerous public browsing behavior. Employees accustomed to ignoring warnings on internal sites may be inclined to ignore warnings on public sites as well, leaving them, and your organization, vulnerable to malware and other threats.
- Solution: You can prevent this warning from appearing by using a valid SSL certificate—obtained from a trusted CA. We recommend that you do so especially before moving to the production stage.