Automatic SSL Certificate Management for Intranet Web Servers

SharkTrust™ revolutionizes how you handle security (PKI) for your internal web servers. Whether you have a product with an Embedded Web Server or any other type of server, SharkTrust can help you automate and streamline the PKI process. And the best part? SharkTrust is free to use, with the source code available on GitHub for your convenience. Trust SharkTrust to keep your PKI organized and your business moving forward.

Understanding certificate management and PKI can be complex and challenging. If you struggle with these concepts or need more clarity on SharkTrust, explore our tutorial on Certificate Management and Chain of Trust. This detailed guide will introduce you to the essential aspects of certificate management and help you understand the PKI concept.

With SharkTrust™, you can provide your users with a seamless and secure experience when using your product on a private network. Setting up SSL Certificates can be a technical and time-consuming process, but SharkTrust completely automates it, making it easy for even those without PKI knowledge to access all their devices securely. This enhances the user experience and frees your support team to focus on other important tasks. Don't let complicated PKI processes hold your product and business back - implement SharkTrust™ and see the benefits for yourself.

It's All About the Trust

Is the following what your customers see when they first start using your embedded web interface?

Browser SSL Warning

The user cannot differentiate between a man in the middle and the nontrusted server's certificate when the user is forced to bypass the browser's security warning. See the tutorial hack any web server-enabled product for more information.

Why you need SharkTrust™

As a device manufacturer, it's important to ensure that your customers can securely communicate with your product(s) through any web browser. While some manufacturers opt for a nonsecure HTTP connection, this has several disadvantages. Many companies now mandate security on private networks, especially when sensitive information is involved. Failing to provide HTTPS may discourage them from using your product. Additionally, many modern browsers are now flagging all HTTP connections as insecure, which can be off-putting for users and may even prevent certain browser features, like password managers, from functioning properly. This can negatively impact the user experience of your product. That's why many manufacturers are now turning to HTTPS to ensure secure communication and a positive user experience.

Self-signed certificate is not an option

Using a self-signed SSL certificate may seem like a simple solution for secure communication with your product, but it comes with its own set of challenges. Browsers do not trust these certificates, leading to a warning message for users about an insecure connection. While it is possible to bypass this warning, it effectively turns the connection into a non-trusted HTTP one, which can limit certain browser features that rely on HTTPS. This can hurt the user experience when communicating with their devices. It's important to consider these factors when choosing an SSL certificate for your product to ensure a positive user experience.

Purchasing a certificate is not an option

Purchasing a certificate from a Certificate Authority (CA) allows your users to have a secure HTTPS connection when communicating with their devices. However, CAs do not issue certificates for private networks, and this means your users must implement a Public Key Infrastructure (PKI) solution to get one. Existing PKI solutions typically require that users go through a lengthy, technically challenging setup process, making using your product securely much more difficult. PKI tutorials are typically targeted at engineers, and your users may find them challenging to understand and follow. Additionally, you may find yourself spending valuable resources supporting customers with this process, causing headaches both for you and your customers.

Browser vendors are working hard on reducing certificate lifespan

Appleā€™s Safari browser now limits certificate validity to one year and the other browser vendors will soon follow. The question is "Where do things go from here?" Since long-lived certificates are a security risk, browser vendors will move to even shorter renewal periods. Eventually, all browsers will refuse certificates with expiration dates longer than three months, and manually updated certificates will eventually be too time-consuming and impractical.

Benefits of SharkTrust™

With SharkTrust, you do not have to worry about ensuring safe and secure communication with your product from any browser, nor do your users. By connecting to an online web interface, users can access information about all the devices on their network, and connecting to a device securely is as simple as clicking on it.

SharkTrust™ works with any embedded web server and TLS product, enabling you to integrate our automatic DNS and certificate management solution as a go-to option for customers requiring a configuration-less PKI solution for their private network.

SharkTrust's root certificate (CA certificate) is directly trusted by all major browsers and operating systems, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. This means that no matter what device or browser is being used to connect with your product's Embedded Web Server, your users will never experience uncomfortable warning screens about unsecured connections.

  • Automatically resolve DNS for private networks and manage certificates for your device
  • No need for a manually configured static IP address for your device - it can simply connect to a company's private network and use a dynamic IP
  • Eliminate the usual hassle of setting up a PKI infrastructure - your device automatically connects to the SharkTrust™ network, registers a dynamic IP, and downloads the required SSL certificate

SharkTrust Details

SharkTrust uses the automated Let's Encrypt Certificate Authority and the Automatic Certificate Management Environment (ACME) protocol specified in RFC-8555.

We provide two SharkTrust versions:

  • SharkTrust is primarily designed for microcontroller-based products, where the devices do not have sufficient processing power and/or memory to deal with processing certificates directly. SharkTrust can be used by any WebServer but requires C code integration.
  • SharkTrustX is an eXtended version, which also optionally enables secure remote access to private Intranet web servers. SharkTrustX is designed as a ready-to-use plugin for the Barracuda App Server.

1: SharkTrust

With SharkTrust, the ACME protocol (including private key generation, certificate signing request, and cryptology required by RFC-855) is managed by an online cloud server solution. The software for the online service is a source code product provided by us, and you may use the software to host your own service directly or use our services.

SharkTrust Let's Encrypt Bridge

The device simply needs to conform to the easy to implement SharkTrust Binary Protocol. SharkTrust may be used by any microcontroller-based solution using any embedded TLS stack as long as the embedded TLS stack can load a standard X.509 certificate and the associated private key.

SharkTrust Requirements

  1. SharkTrust is designed for devices (or software) installed within an Intranet and with private IP addresses -- e.g., 192.168.x.x.
  2. The devices with the embedded SharkTrust software must have Internet access as a TCP/IP network client. In other words, SharkTrust must be able to connect as a client to the online SharkTrust service. Internet access does not need to be persistent. The access is needed when updating the certificate once every 2 to 3 months.
  3. The SharkTrust service requires code in the device that complies with the SharkTrust Binary Protocol Specification (PDF).
  4. SharkTrust can be used in a device as an option in addition to existing PKI infrastructure.

2: SharkTrustX

SharkTrustX comes pre-integrated as a ready to use Barracuda App Server plugin. Unlike SharkTrust, SharkTrustX communicates directly with Let's Encrypt using the ACME protocol (RFC-855). The plugin also manages private key generation, certificate signing requests, and required cryptology. An online service is still required but is limited to managing the DNS.

Let's Encrypt for Intranet servers

Internet Access:

SharkTrust and SharkTrustX require internet access to automatically update certificates approximately once every 2 to 3 months for each device. However, before excluding SharkTrust as an option simply because your customers do not have internet, consider the complexity of setting up a Public Key Infrastructure (PKI). Setting up a PKI is far from straightforward. For the average user or even businesses without dedicated IT specialists, this process can be daunting:

  1. Technical Challenge: PKI setup requires an understanding of certificate management, certificate chains, trust anchors, and numerous other intricacies.
  2. Maintenance Overhead: It's not just the setup that's complex. PKIs require constant monitoring and maintenance. Certificates expire, and when they do, they need to be renewed. Handling this without automation is labor-intensive and error-prone.
  3. Risk of Misconfiguration: A small mistake in setting up or maintaining a PKI can lead to significant vulnerabilities. For companies handling sensitive information, this isn't just an inconvenience; it's a major business risk.

Given these challenges, it's clear that setting up and managing a PKI is not feasible for most unless they have dedicated PKI experts on their payroll.

Your customers may not be connected to the Internet for the two following reasons:

  1. Security concerns.
  2. The on-premises solution is remote and with no Internet access.

Both issues can easily be remedied with modern equipment:

  1. Security: By default, modern firewall routers are designed to prevent external, unsolicited access. This means that even if an intranet solution is connected to the Internet, it remains shielded from external threats. Using SharkTrust with these modern routers ensures businesses have a layered security approach. They benefit from both the automated PKI management from SharkTrust and the external access controls of firewall routers.
  2. No Internet access: Using various cellular solutions, most remote locations can be Internet-enabled. Since SharkTrust only updates each device every 2 to 3 months, the cellular cost will be minimal.

Why SharkTrust is the Optimal Solution: Against the backdrop of these challenges, SharkTrust offers a seamless, worry-free alternative:

  1. Turnkey Solution: With SharkTrust, businesses don't need to grapple with the intricacies of certificate management. The entire process, from certificate issuance to renewal, is automated.
  2. No Need for Expertise: SharkTrust eliminates the need for dedicated PKI experts. Even companies without specialized IT departments can now have the same level of security as those with large IT teams.

In light of these considerations, SharkTrust isn't just a good option; for many businesses, it's the only viable option to maintain rigorous security standards without needing specialized expertise.

Get Started with SharkTrust(X)

  1. SharkTrust: the SharkTrust C code client examples and the SharkTrust portal software can be downloaded from Github.
  2. SharkTrustX: see the SharkTrustX product page for how to immediately start using SharkTrustX. The portal can be downloaded from Github.

    Looking for a straightforward way to test SharkTrustX on a microcontroller? Here's how:

    1. Purchase an ESP32-S3 microcontroller development board.
    2. Upload the ready-to-use Xedge32 development environment onto it. Xedge32 has an easy-to-use SharkTrustX configuration menu (see presentation below).
    3. All you need to do is fill in two fields: an email address (as required by Let's Encrypt) and a device name.
    4. The screenshot also highlights an optional feature called 'Reverse Connection'. When enabled, it allows remote access to the device, as indicated in the browser's address bar.

    Explore our presentation to see SharkTrustX in action on an ESP32 microcontroller using the Xedge development environment. Xedge offers certificate installation as an option

    With just a few simple steps, you'll have SharkTrustX up and running using Xedge.

    SharkTrust and SharkTrustX are powerful tools licensed under the open-source MIT License, meaning they can be used free of charge. They can greatly enhance your products' security, but setting up your own portal requires some expertise. That's where Real Time Logic comes in - we're here to provide the initial consultation and support you need to get your SharkTrust or SharkTrustX portal instance up and running smoothly. Contact us to schedule your consultation and get started with SharkTrust today!

    Security Tutorials: