Using TLS Client Authentication with AIR Applications

Passwords remain de rigueur for authenticating clients, but applications with stricter security requirements may require an additional authentication factor. Adobe AIR-based applications can use client-side Transport Layer Security (TLS, also still referred to as SSL) authentication to add this second factor.

Many developers are familiar with the use of TLS in the HTTPS protocol to establish the identity of the server to which a client is connected. The server uses a private key to assert its identity, which is in turn validated via a trusted certificate installed on the client machine. What is less well known is that TLS authentication can be symmetric. The same certificate-based validation scheme can be used to authenticate both the server to the client and the client to the server.

The setup details will vary based on which web server and operating systems you’re running. Still, here’s a sketch of the steps involved to get it working. On the server:

  1. Create or select a certificate authority that will issue certificates for each client machine.
  2. Configure your web server to require TLS client authentication.
  3. Configure your web server to trust, for TLS authentication purposes, certificates issued by your certificate authority.

Then, for each client:

  1. Generate a private key for the client.
  2. Generate a certificate signing request for the client, based on this key.
  3. Create, using your certificate authority, a signed certificate for the client.
  4. Install this certificate into the system trust store on the client.

Note that none of these steps are specific to AIR. AIR uses the underlying OS network stack for HTTP, HTTPS, and TLS support. All AIR TLS connections use the system trust store to look up certificates and access private keys. This helps produce consistent behavior across all applications on your machine, whether they are built on AIR or not. If you have an existing enterprise solution in place for managing the trust store, it also means you can re-use this solution to distribute and maintain certificates and keys for AIR applications, too.

The certificates used in TLS client authentication, by virtue of being installed on and tied to a specific machine, authenticate by proving something you have. This makes them a perfect complement to passwords, which are something you know. Together, they create a reasonable and available two-factor authentication scheme for your AIR applications.

8 Responses to Using TLS Client Authentication with AIR Applications

  1. Milos says:

    That is for http, but for smtp we cannot rely on underlying OS net but must implement our own tls support that is a bit of tricky to do right now.

  2. Vertex says:

    Thanks it is very useful.

  3. Ben Hardill says:

    Thanks for this it helped a lot. I just want to check, that you use IE’s trusted ca certs on Windows? Just trying to work out where I need to get my users to add the a self signed cert for a little internal project.Yes, AIR uses the same set of certificates as IE. —Oliver

  4. Tim Goodman says:

    That’s great.However, lets say you have a HTML object in AIR that navigates to a secure https page. Can you display the page’s SSL certificate to the user?[No, I don’t believe there’s any straightforward way to do this. —Oliver]

  5. Dmitry says:

    Thank’s, and question – does work it with WebService?[Yes, as long as your WebService is accessed via HTTPS. –Oliver]

  6. Arlen says:

    We’d like to do the same thing on Linux. What’s the equivalent of the “system trust store” there?

    [The short answer is that there isn’t one. I’m looking into whether or not there’s a workaround for AIR on Linux, and will post a follow-up. —Oliver]

  7. Gonçalo says:

    You replied to Dmitry that it works with webservices…
    Thing is, I’ve installed a certificate in my system to access a service through https…
    Everything goes well when I test it in the flash builder console (the services test), however, when I do run the air app it actually pops up that the certificate issuer is unknown and even if I choose to trust it I end up not receiving any answer from the services (the request never gets made), do you have any idea how to solve this?

  8. Daniel says:

    hi, nice article.. The paper states TLS works using the underlying OS – I’m facing an issue with WebServices running on SSL with Client Authentication on iOS Devices (AIR 3.1) – Using Server Cert (installed on the iPad, Trusted) it completes the request, but when we add the Client Auth to complete a handshake it seems AIR cannot load the Client Cert in the iPad and send it back to the server when requested.. (also, this Client Cert is trusted in the iPad)

    Have someone really tested this in Adobe? – Do I need any additional Security XML in the AIR app to access an external secure service?

    I have a similar behavior you are experiencing Goncalo, running on Windows Flash Builder 4.6 with the Certs imported and trusted into Windows Cert Store. I keep receiving the ‘Trust’ popup.. (which never displays on iOS, just kick me out.. )

    Did you find any solution to this? – It seems we have a similar issue…