Automatic SSL Certificate Management for Intranet Web Servers

Real Time Logic's SharkTrust™ is an automatic Public Key Infrastructure (PKI) solution for Intranet Web Servers, such as products containing an Embedded Web Server. SharkTrust is a free product, and the source code is available on GitHub.

By using SharkTrust™, you eliminate the technical difficulties of setting up an SSL Certificate for a private network for the users of your product, streamlining their experience with your product, and making them feel effortlessly safe and secure. For your company, this means less time and resources spent on support explaining difficult and lengthy technical processes to your users. By implementing SharkTrust™ service in your product, even users without any knowledge of Public Key Infrastructure (PKI) will find it simple and easy to securely access all their devices.

It's All About the Trust

Is the following what your customers see when they first start using your embedded web interface?

Browser SSL Warning

The user cannot differentiate between a man in the middle and the non trusted server's certificate when the user is forced to bypass the browser's security warning. See the tutorial hack any web server enabled product for more information.

Why you need SharkTrust™

When you create a product containing an Embedded Web Server, you are faced with the problem of ensuring that your users can securely communicate with your device from any web browser.

Some device manufacturers avoid the problem altogether by simply offering an HTTP connection, but that comes with a growing set of disadvantages. Many companies mandate security even on a private network, especially when critical and sensitive information passes across it, and failing to provide HTTPS might make them hesitant to use your product. Also, many browsers are now flagging all HTTP connections as insecure, which means that not only would your users be confronted with an uncomfortable message warning them of an insecure connection when they attempt to connect with their devices, but many browser features which rely on HTTPS, such as password managers, will not work. This has the potential to damage the user experience of your product, and for this reason many device manufacturers are moving to HTTPS.

Self-signed certificate is not an option

Products featuring a self-signed SSL certificate still face problems with modern browsers, which do not trust these certificates, triggering a warning of an insecure connection to users of your product. Although these warnings can be bypassed, doing so makes the connection essentially an HTTP connection, which limits certain browser features that rely on HTTPS, resulting in a negative impact on the experience of your users when communicating with their devices.

Purchasing a certificate is not an option

Purchasing a certificate from a Certificate Authority (CA) is a way for your users to have a secure HTTPS connection when communicating with their devices. However, CAs do not issue certificates for private networks, and this means your users must implement a Public Key Infrastructure (PKI) solution to get one. Existing PKI solutions typically require that users go through a lengthy, technically-challenging setup process, which makes using your product securely much more difficult for them. PKI tutorials are typically targeted at engineers, and your users may find them difficult to understand and follow. Additionally, you may find yourself spending valuable resources supporting customers with this process, causing headaches both for you and your customers.

Browser vendors are working hard on reducing certificate lifespan

Appleā€™s Safari browser now limits certificate validity to one year and the other browser vendors will soon follow. The question is "Where do things go from here?" Since long lived certificates are a security risk, browser vendors will move to even shorter renewal time periods. Eventually all browsers will refuse certificates with expiration dates longer than 3 months, and manually updated certificates will eventually be too time consuming and impractical.

Benefits of SharkTrust™

With SharkTrust™, you do not have to worry about ensuring safe and secure communication with your product from any browser, and neither do your users. By connecting to an online web interface, users can access information about all the devices on their network, and connecting to a device securely is as simple as clicking on it.

SharkTrust™ works with any embedded web server and TLS product, enabling you to integrate our automatic DNS and certificate management solution as a go-to option for customers requiring a configuration-less PKI solution for their private network.

SharkTrust's root certificate (CA certificate) is directly trusted by all major browsers and operating systems, including Microsoft, Google, Apple, Mozilla, Oracle and Blackberry. This means that no matter what device or browser is being used to connect with your product's Embedded Web Server, your users will never experience uncomfortable warning screens about unsecure connections.

  • Automatically resolve DNS for private networks and manage certificates for your device
  • No need for a manually-configured static IP address for your device - it can simply connect to a company's private network and use a dynamic IP
  • Eliminate the usual hassle of setting up a PKI infrastructure - your device automatically connects to the SharkTrust™ network, registers a dynamic IP, and downloads the required SSL certificate

SharkTrust Details

SharkTrust uses the automated Let's Encrypt Certificate Authority. SharkTrust is designed for microcontroller based products, where the devices do not have sufficient processing power and/or memory for the Automatic Certificate Management Environment (ACME) protocol specified in RFC-8555. With SharkTrust, the ACME protocol (including private key generation, certificate signing request, and cryptology, required by RFC-855) is managed by an online cloud server solution. The software for the online service is a source code product provided by us, and you may use the software to host your own service either directly or with help from our consulting partners.

SharkTrust Let's Encrypt Bridge

The device simply needs to conform to the easy to implement SharkTrust Binary Protocol. SharkTrust may be used by any microcontroller based solution using any embedded TLS stack, as long as the embedded TLS stack can load a standard X.509 certificate and the associated private key.

SharkTrust Requirements

  • SharkTrust is designed for devices (or software) installed within an Intranet and with private IP addresses -- e.g. 192.168.x.x.
  • The devices with the embedded SharkTrust software must have Internet access as a TCP/IP network client. In other words, SharkTrust must be able to connect as a client to the online SharkTrust service. The Internet access does not need to be persistent. The access is needed when updating the certificate once every 2 to 3 months.
  • The SharkTrust service requires code in the device that complies with the SharkTrust Binary Protocol Specification (PDF).

SharkTrust can be used in a device as an option in addition to existing PKI infrastructure. See the tutorial Certificate Management and Chain of Trust if you are new to PKI.

Get Started with SharkTrust

Download from Github

SharkTrust Client examples and the SharkTrust portal can be downloaded from the SharkTrust Github page. Note that SharkTrust is an advanced tool that typically requires initial consultation provided by Real Time Logic. Contact us for scheduling an initial consultation.

See also the eXtended SharkTrust version:

SharkTrustX is a product that extends SharkTrust with additional features such as external access to Intranet web servers.

The following video shows how SharkTrustX automates installation of a trusted certificate on a microcontroller.