8

I am trying to add https to the embedded devices I am working on. These devices are generally assigned local ip addresses and so cannot get their own ssl certificates.

So essentially my question is how does one get a certificate for a device without a global ip address??

Assumptions:

Browsers won't trust certificates unless they've been verified by a trusted CA.

However you can only get a verified certificate for a globally unique domain.

Those darn customers insist on local ip addresses.

Similar question here


Hypothesis A:

  1. Get a certificate for main company website
  2. Copy that cert. + private key to all devices
  3. User connects to device
  4. Device sends cert. to user
  5. User sees cert. is trusted (ignores that it's not for this server??)
  6. User encrypts http using public key in cert
  7. Device uses private key

Results:

  1. Browser complains about name mismatch
  2. Customers have access to each others private key
  3. Not very secure

Hypothesis B:

  1. Get a certificate for main company website FOR EACH DEVICE
  2. Copy a cert. + private key to each device
  3. User connects to device
  4. Device sends cert. to user
  5. User sees cert. is trusted (ignores that it's not for this server??)
  6. User encrypts http using public key in cert
  7. Device uses private key

Results:

  1. Browser complains about name mismatch
  2. Secure

Hypothesis C:

  1. Create self-signed cert for each device
  2. Copy a cert. + private key to device
  3. User connects to device
  4. Device sends cert. to user
  5. Firefox has a canary
  6. User encrypts http using public key in cert
  7. Device uses private key

Results:

  1. Browser complains about self-signed cert
  2. Self-signed cert could be man-in-middle attack
Shiftee
  • 183
  • 1
  • 5
  • It's not clear exactly what the problem is you're trying to solve. Can you possibly update your question to include a problem statement before all your options? – larsks Aug 09 '12 at 16:01

2 Answers2

3

If the customer insists on local IP connectivity you don't even need to leverage a worldwide Public Key Infrastructure by reaching out to "known" Certificate Authorities.

Just set up your own local PKI with its own local CA and distribute your CA's certificate to all the clients. Then use that CA to issue certificates to the devices and they'll be trusted by the clients.

Luke404
  • 5,708
  • 3
  • 44
  • 58
  • you get this for free with Windows Active Directory: certificates created using the AD certificate authority are created using a domain CA certificate, so all users using Internet Explorer in that domain already have a valid certificate chain built-in. – longneck Aug 10 '12 at 12:30
  • 1
    Okay, I think i'm going to ship with self-signed certificates but include a feature to allow the customers with their own CAs to upload their own. I will send them the certificate serial number and encourage them to verify it when they get the browser warning (very few people wll use each device). Not perfect but it's a start – Shiftee Aug 10 '12 at 14:47
0

Is getting a wildcard certificate and using it as a subdomain for your devices an option?

As long as your devices are on DNS locally, IP addresses should not matter.

user9517
  • 114,104
  • 20
  • 206
  • 289
Chida
  • 2,471
  • 1
  • 16
  • 29
  • Well the devices won't really have anything to do with the main domain. In most cases the device will be located on the customers private lan. I want the cert so the user can know they are communicating with a device which has a private key associated with my company. Sorry if i've completely missed your point – Shiftee Aug 10 '12 at 12:17