Automatic SSL Certificate Management for Intranet Web Servers

SharkTrust™ from Real Time Logic is a game-changing solution for managing Public Key Infrastructure (PKI) on your Intranet Web Servers. Whether you have a product with an Embedded Web Server or any other type of server, SharkTrust can help you automate and streamline the PKI process. And the best part? SharkTrust is completely free to use, with the source code available on GitHub for your convenience. Trust SharkTrust to keep your PKI organized and your business moving forward.

If you're new to certificate management and PKI, be sure to check out our tutorial on Certificate Management and Chain of Trust. This comprehensive guide will walk you through the basics of certificate management and help you understand the concept of a chain of trust.

With SharkTrust™, you can provide your users with a seamless and secure experience when using your product on a private network. Setting up SSL Certificates can be a technical and time-consuming process, but SharkTrust completely automates it, making it easy for even those without PKI knowledge to securely access all their devices. This not only enhances the user experience, but it also frees up your support team to focus on other important tasks. Don't let complicated PKI processes hold your product and business back - implement SharkTrust™ and see the benefits for yourself.

It's All About the Trust

Is the following what your customers see when they first start using your embedded web interface?

Browser SSL Warning

The user cannot differentiate between a man in the middle and the non trusted server's certificate when the user is forced to bypass the browser's security warning. See the tutorial hack any web server enabled product for more information.

Why you need SharkTrust™

As a device manufacturer, it's important to ensure that your customers can securely communicate with your product(s) through any web browser. While some manufacturers opt for a non secure HTTP connection, this comes with a number of disadvantages. For one, many companies now mandate security on private networks, especially when sensitive information is involved. Failing to provide HTTPS may discourage them from using your product. Additionally, many modern browsers are now flagging all HTTP connections as insecure, which can be off-putting for users and may even prevent certain browser features, like password managers, from functioning properly. This can negatively impact the user experience of your product. That's why many manufacturers are now turning to HTTPS to ensure secure communication and a positive user experience.

Self-signed certificate is not an option

Using a self-signed SSL certificate may seem like a simple solution for secure communication with your product, but it comes with its own set of challenges. Browsers do not trust these certificates, leading to a warning message for users about an insecure connection. While it is possible to bypass this warning, it effectively turns the connection into a non trusted HTTP one, which can limit certain browser features that rely on HTTPS. This can have a negative impact on the user experience when communicating with their devices. It's important to consider these factors when choosing an SSL certificate for your product to ensure a positive experience for your users.

Purchasing a certificate is not an option

Purchasing a certificate from a Certificate Authority (CA) is a way for your users to have a secure HTTPS connection when communicating with their devices. However, CAs do not issue certificates for private networks, and this means your users must implement a Public Key Infrastructure (PKI) solution to get one. Existing PKI solutions typically require that users go through a lengthy, technically-challenging setup process, which makes using your product securely much more difficult for them. PKI tutorials are typically targeted at engineers, and your users may find them difficult to understand and follow. Additionally, you may find yourself spending valuable resources supporting customers with this process, causing headaches both for you and your customers.

Browser vendors are working hard on reducing certificate lifespan

Appleā€™s Safari browser now limits certificate validity to one year and the other browser vendors will soon follow. The question is "Where do things go from here?" Since long lived certificates are a security risk, browser vendors will move to even shorter renewal time periods. Eventually all browsers will refuse certificates with expiration dates longer than 3 months, and manually updated certificates will eventually be too time consuming and impractical.

Benefits of SharkTrust™

With SharkTrust™, you do not have to worry about ensuring safe and secure communication with your product from any browser, and neither do your users. By connecting to an online web interface, users can access information about all the devices on their network, and connecting to a device securely is as simple as clicking on it.

SharkTrust™ works with any embedded web server and TLS product, enabling you to integrate our automatic DNS and certificate management solution as a go-to option for customers requiring a configuration-less PKI solution for their private network.

SharkTrust's root certificate (CA certificate) is directly trusted by all major browsers and operating systems, including Microsoft, Google, Apple, Mozilla, Oracle and Blackberry. This means that no matter what device or browser is being used to connect with your product's Embedded Web Server, your users will never experience uncomfortable warning screens about unsecure connections.

  • Automatically resolve DNS for private networks and manage certificates for your device
  • No need for a manually-configured static IP address for your device - it can simply connect to a company's private network and use a dynamic IP
  • Eliminate the usual hassle of setting up a PKI infrastructure - your device automatically connects to the SharkTrust™ network, registers a dynamic IP, and downloads the required SSL certificate

SharkTrust Details

SharkTrust uses the automated Let's Encrypt Certificate Authority and the Automatic Certificate Management Environment (ACME) protocol specified in RFC-8555.

We provide two SharkTrust versions:

  • SharkTrust is primarily designed for microcontroller based products, where the devices do not have sufficient processing power and/or memory to directly deal with processing certificates. SharkTrust can be used by any WebServer, but requires C code integration.
  • SharkTrustX is an eXtended version, which also optionally enables secure remote access of private Intranet web servers. SharkTrustX is designed as a ready to use plugin for the Barracuda App Server.

1: SharkTrust

With SharkTrust, the ACME protocol (including private key generation, certificate signing request, and cryptology, required by RFC-855) is managed by an online cloud server solution. The software for the online service is a source code product provided by us, and you may use the software to host your own service either directly or you may use our services.

SharkTrust Let's Encrypt Bridge

The device simply needs to conform to the easy to implement SharkTrust Binary Protocol. SharkTrust may be used by any microcontroller based solution using any embedded TLS stack, as long as the embedded TLS stack can load a standard X.509 certificate and the associated private key.

SharkTrust Requirements

  1. SharkTrust is designed for devices (or software) installed within an Intranet and with private IP addresses -- e.g. 192.168.x.x.
  2. The devices with the embedded SharkTrust software must have Internet access as a TCP/IP network client. In other words, SharkTrust must be able to connect as a client to the online SharkTrust service. The Internet access does not need to be persistent. The access is needed when updating the certificate once every 2 to 3 months.
  3. The SharkTrust service requires code in the device that complies with the SharkTrust Binary Protocol Specification (PDF).
  4. SharkTrust can be used in a device as an option in addition to existing PKI infrastructure.

2: SharkTrustX

SharkTrustX comes pre-integrated as a ready to use Barracuda App Server plugin. Unlike SharkTrust, SharkTrustX communicates directly with Let's Encrypt using the ACME protocol (RFC-855). The plugin also manages private key generation, certificate signing request, and required cryptology. An online service is still required, but is limited to managing the DNS.

Let's Encrypt for Intranet servers

Get Started with SharkTrust

  1. SharkTrust: the SharkTrust C code client examples and the SharkTrust portal software can be downloaded from Github.
  2. SharkTrustX: see the SharkTrustX product page for how to immediately start using SharkTrustX. The portal can be downloaded from Github.

    SharkTrust is a powerful tool that can greatly enhance the security of your products, but it does require some expertise to set up and configure properly. That's where Real Time Logic comes in - we're here to provide the initial consultation and support you need to get SharkTrust up and running smoothly. Contact us to schedule your consultation and get started with SharkTrust today! And if you're an experienced Linux administrator with Ansible experience, you can find brief installation instructions on the SharkTrustX Installer GitHub page. The SharkTrustX installer can be modified to also install SharkTrust.

    Security Tutorials: