We are building an IoT architecture consisting of a API gateway and other services deployed on the cloud. The server uses a letsencrypt SSL certificate, so it is possible to communicate over SSL with the server. There are a number of hardware devices which send data to the server. We want to use x.509 certificate based communication and authentication from the devices to the server. I have two questions in this regard,
Is it possible to use letsencrypt certificate to generate the x.509 based certificate which can be configured on the device. If yes, what are the steps to do so
Since a letsencrypt certificate expires after 90 days, does it mean that after every 90 days, we will have to renew the certificates on all the devices? If yes, is there any best practice to handle such situations
Unfortunately, Let's Encrypt does not support intermediate certificates, so you wouldn't be able to generate your "own" certificates for your devices.
Related
I can't understand which is the real benefit of using a CA certificate when it comes to secure communications between servers and IoT devices.
I'm working at an IoT device that uses Ubuntu as OS and I was planning to use CA certificate. But what happen if my users are not updating their devices firmware?
now that certificates expires after 1 year and considering that some users are not updating their IoT devices for a long time... the risk I'll run into is that those devices could not be updated after the cert expires since they can't communicate with my servers.
With a self signed cert I can set an expiration of 45 years and anyway I'll be to authority and I can revoke or decide when it is time to release a new cert or even cross signing certificate.
I'm obviously talking only about the communication between the device and servers... the rest api for users will use a default CA cert.
Another option that I'm considering is to use a CA cert for device and servers communication but also adding a self signed certificate that I can use as backup in case the the main certificate expires and the device needs to download new software (that will contain the new certificate) is this a viable solution?
Should I handle certificates in this way?! or maybe should I just use the OS root store and ensure that it is updated somehow? (in this case ... how?... the only way is to release an update of the device firmare I suppose)
Certificates are used for authentication and encryption. See https://www.ssl.com/faqs/what-is-a-certificate-authority/
If you want to make sure that, data you are receiving is coming from authenticated devices then you will use certificates.
You can use certificates to encrypt each and every request. But it will be heavy on resources. Or you use certificates to for authentication and return an JWT token for further request. (This is how service account works in cloud.)
Manual certificate management will become complicated in no time.
Service account is a common way to authenticate apps/ devices. Keycloak is an open source option to support service accounts.
You should keep device updation separate from authentication. Device updation may or may not happen on authenticated device. And waiting for certificate expiration to update the device sounds strange.
I am using let's encrypt now, and I am planning on using my own CA from now on. The usage is for personal media server and cloud storage.
Now I can install the root CA on the devices I own, but occasionally I get visitors when I share stuff. I provided the certificates to install for the visitors and not all of them do that.
My question is, is it possible to use my rootCA signed certificate if it is installed on client system/browser, or else to fallback and use let's encrypt.
Let's encrypt is good enough, but re-issuing every 3 months and verifiying domains is a pain, especially when there is no wild-card.
No. The ClientHello message doesn't include any information about recognized CAs.
I am developing an app to run in Cloud Foundry.
The app makes constant connections to a web service using https protocol.
The web service uses a pair of self-signed certificate created by openssl.
As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate.
However, the web service IP address varies from time to time. The ssl certificate has to be re-generated each time.
In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service’s SSL cert as a file with my app.
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes.
Here are some possible solutions:
Register a host name in DNS. In that case, the certificate is only bound to host name. (Might not be possible cos of the budget. )
Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. It is feasible and a common way for internal services. However, what if the app is pushed to the CF? How can we configure the node for the certs?
Disable the SSL server authentication. Not sure whether it would put the app at risk if the authentication is skipped. For the time being, the app pulls data from the web service.
I've been thinking of keeping the public key in the database. In that case, I don't need to re-upload the app to make it take effect. But I am not sure whether it is a safe way.
Question
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. Are any of the above solutions viable? If not, is there any other CF preferred ways?
Thank you
This is a bit old, but in case this helps...
Did you try to generate your server SSL certificate with whatever hostname (even "localhost"). As you are uploading this certificate in your application (i.e. to "blindly" trust it), I think that it could work and this would avoid dependencies with your IP address.
I have a RESTFul API that I want to secure using SSL Certs. If I were to get some SSL certificates, would I need separate ones for each of my web clients that use my API or would the API be the only thing that needs the certificate?
The SSL certificate is installed on your web server hosting your REST API. The clients don't need to have a certificate to securely exchange data with your server.
Think about all the e-banking/e-shopping sites that you probably use. You don't specifically install any certificates on your computer to be able to use them. As long as you trust the certification authority that issued the certificates to those websites (handled by your computer transparently), your computer can connect to them over SSL.
So, as long as your own server's SSL certificate is valid and issued by a trusted certification authority, your clients will be able to connect securely over SSL without needing separate certificates.
SSL Certificates are for Web Server. You install them in your Web Server. Certificates are matched to your domain. They have nothing to do with the clients. Any client can access your server if you have a valid certificate.
I think you have multiple Resful API's.
Now you need not have separate Certificates for API's since Certificates are matched to your server's domain and not to the API's you host. You can have any number of API's and Clients connected to your server using a SSL Certifcate.
If I use SSL for my app to communicate with my server, can I use any SSL certificate, like those issued by goDaddy? I understand the reason people buy Verisign certificates(which are terribly expensive) is that they are supported by all browsers. But if I have no browser component, and the communication is between my app and my services, can I go for a cheaper one?
How SSL works
The Goal of SSL Certificates is to ensure no Man In the Middle is earsdropping on your encrypted communication. When your app is connecting to your server, your server therefore presents a certificate which tells, that the used encryption key really belongs to your server. This certificate is cryptographicly signed by a trusted party, such that the man in the middle can not forge such a certiifcate. Your app has to know the cryptographic key of the trusted party in advance to verify this signature.
Use godaddy certificates
You can use any certificate made by a trusted party which is known by your app. If you include the godaddy cryptographic key (called root certificate) in your app you can use godaddy certificates.
Use your own zero cost certificate
For you and your app, you yourself can be a trusted party for certificate signing. You can use your own self generated certificate without paying anyone for it. You only need to include your own certificate in your app. You can find a tutorial on how to generate a self signed certificate at http://www.akadia.com/services/ssh_test_certificate.html .