Automatic Certificate Management for Devices

(Why You Need Automatic Certificate Management for Intranet Web Servers)

not-secure If you use an embedded web server for device management, you may have noticed that browser vendors flag non-SSL/TLS-enabled web servers as insecure. This means that more and more device manufacturers are transitioning to HTTPS to ensure secure communication. It is important to know the challenges of providing trusted, secure communication. Without trust, it's easy for anyone to hack your server. In this article, we'll explore the challenges of establishing trust and how to provide simple, hassle-free solutions to ensure the security of your embedded web server.

The challenges:

If you are already using a TLS-enabled web server, you know firsthand the challenges of configuring a certificate solution that does not trigger a red flag in the browser. If you are not using TLS yet, be prepared for a few surprises when you enable it for your embedded web server solution. While TLS is often thought of as a way to encrypt communication between the web browser and web server, it is essential to remember that trust is also a key component.

If the browser cannot trust the server, the encryption provided by TLS becomes irrelevant.

That is why web browsers show a warning when a web server returns a non-trusted SSL certificate. In the figure below, you can see an example of the warning that appears in the web browser when this happens.

Browser-SSL-Warning

TLS completely falls apart if the browser is unable to trust the server!

For a web browser to trust a TLS-enabled web server, the following criteria must be met:

  1. The server's SSL certificate must have been signed by a Certificate Authority (CA) trusted by the browser [1].
  2. The domain name or IP address in the browser's URL bar must match the name in the web server's signed X.509 certificate. For example, when navigating to https://device.company.com, the browser checks that the domain name (URL) matches the name stored in the certificate received from the server.
  3. The server's SSL certificate must be valid and not expired.

[1] The client computers, including PCs, tablets, and phones, must have the Certificate Authority (CA) certificate stored in the Certificate Store. A web server is not trusted if the CA that signed the server's certificate is not pre-installed in the Certificate Store. To better understand the Certificate Store, view the pre-installed CA certificates on your computer; for example, on Windows, run the command certmgr.msc to open the Certificate Store. See the article Introduction to PKI for details.

You are probably at this point getting the picture that this is not so easy to manage for embedded devices. Maybe you already sell a TLS-enabled product and simply push this problem to your end customer(s);  however, it is virtually impossible for non-technical users to get this working. As we mentioned above, using a non-trusted HTTPS connection is no more secure than using a non-secure HTTP connection. The reason for this is that the browser cannot distinguish between a man in the middle and the real device if the web browser is unable to trust the embedded web server.

If your customers are super techies, they may elect to be their own Certificate Authority; however, the administrative work involved, even for SSL experts, is just enormous. In any event, your product would look much more professional if you could provide a solution that completely automates certificate management. What you need is a solution that enables your customers to browse to their newly purchased devices without getting any errors in the browser.

Solutions:

Thanks to the new Certificate Authority Let's Encrypt, it is now possible to completely automate the installation of free and trusted certificates for web servers deployed within private networks. However, Let's Encrypt requires the use of a new security protocol for its automated certificate management. In addition, a DNS service for private web servers must be used together with the Let's Encrypt service.

We provide two products that enable the automatic installation of Let's Encrypt signed certificates for private web servers.

Automatic Certificate Management Introduction:

SharkTrust:

SharkTrustX:

Discover More:

No matter what your background or project goals, we're here to help you find the perfect solution! Are you a maker looking for the right tools? A startup trying to get off the ground? A large business seeking new software solutions? We've got you covered.

If you have any questions or just aren't sure which product is right for you, don't hesitate to reach out. Our team is dedicated to helping you overcome your hardware/software challenges and find the best solution for your needs. Let us know how we can help - we'd love to lend a hand!


OPC-UA

OPC-UA Client & Server

An easy to use OPC UA stack that enables bridging of OPC-UA enabled industrial products with cloud services, IT, and HTML5 user interfaces.

Edge Controller

Edge Controller

Use our user programmable Edge-Controller as a tool to accelerate development of the next generation industrial edge products and to facilitate rapid IoT and IIoT development.

On-Premises IoT

On-Premises IoT Platform

Learn how to use the Barracuda App Server as your On-Premises IoT Foundation.

Embedded Web Server

Barracuda Embedded Web Server

The compact Web Server C library is included in the Barracuda App Server protocol suite but can also be used standalone.

WebSocket Server

Microcontroller Friendly

The tiny Minnow Server enables modern web server user interfaces to be used as the graphical front end for tiny microcontrollers. Make sure to check out the reference design and the Minnow Server design guide.

WebDAV Server

Network File System

Why use FTP when you can use your device as a secure network drive.

HTTP Client

Secure HTTP Client Library

PikeHTTP is a compact and secure HTTP client C library that greatly simplifies the design of HTTP/REST style apps in C or C++.

WebSocket Client

Microcontroller Friendly

The embedded WebSocket C library lets developers design tiny and secure IoT applications based on the WebSocket protocol.

SMTP Client

Secure Embedded SMTP Library

Send alarms and other notifications from any microcontroller powered product.

Crypto Library

RayCrypto C Library

The RayCrypto engine is an extremely small and fast embedded crypto library designed specifically for embedded resource-constrained devices.

Embedded PKI Service

Automatic SSL Certificate Management for Devices

Real Time Logic's SharkTrust™ service is an automatic Public Key Infrastructure (PKI) solution for products containing an Embedded Web Server.

Modbus

Modbus TCP client

The Modbus client enables bridging of Modbus enabled industrial products with modern IoT devices and HTML5 powered HMIs.

Posted in Whitepapers