I am trying to add https to the embedded devices I am working on. These devices are generally assigned local ip addresses and so cannot get their own ssl certificates.
So essentially my question is how does one get a certificate for a device without a global ip address??
Assumptions:
Browsers won't trust certificates unless they've been verified by a trusted CA.
However you can only get a verified certificate for a globally unique domain.
Those darn customers insist on local ip addresses.
Similar question here
Hypothesis A:
- Get a certificate for main company website
- Copy that cert. + private key to all devices
- User connects to device
- Device sends cert. to user
- User sees cert. is trusted (ignores that it's not for this server??)
- User encrypts http using public key in cert
- Device uses private key
Results:
- Browser complains about name mismatch
- Customers have access to each others private key
- Not very secure
Hypothesis B:
- Get a certificate for main company website FOR EACH DEVICE
- Copy a cert. + private key to each device
- User connects to device
- Device sends cert. to user
- User sees cert. is trusted (ignores that it's not for this server??)
- User encrypts http using public key in cert
- Device uses private key
Results:
- Browser complains about name mismatch
- Secure
Hypothesis C:
- Create self-signed cert for each device
- Copy a cert. + private key to device
- User connects to device
- Device sends cert. to user
- Firefox has a canary
- User encrypts http using public key in cert
- Device uses private key
Results:
- Browser complains about self-signed cert
- Self-signed cert could be man-in-middle attack
