How do I generate and install a self signed certificate

[mitch236]

I recently upgraded to the 994i from the 99i and can't figure out how to install a self signed certificate. I've read the document http://www.universal-devices.com/docs/ISY994%20Series%20Network%20Security%20Guide.pdf but I'm clearly not knowlegable enough to figure out what to do.

 

I'm sure this has been answered before so if someone would please point me to the answer, I would really appreciate it!

 

Thanks!

[G W]

I read it, rather quickly, and I too found it confusing. I'd like to see a step-by-step set of instructions.

 

So, when I get time, I will read it again, and write up the instructions.

[apostolakisl]

I agree. I started to do it once a while back and couldn't get it figured out.

[johnnyt]

Ditto

 

 

Sent from my iPod touch using Tapatalk

[arw01]

+1, but I knew I was too dumb to figure it out before I started. I was waiting for the video on youtube!

[Michel Kohanim]

Hi Guys,

 

Thanks so very much for the feedback. Step by step instructions shall be available shortly.

 

With kind regards,

Michel

[auger66]

I just got two 994i upgrades. I couldn't figure this out either.

[mitch236]

I tried to find out more about certificates and it seems to me that having higher security certificates only protects the person navigating to the website and doesn't protect the website owner. Is that true? Why would someone want stronger security than the basic self signed certificate for our purposes?

[Michel Kohanim]

Hi mitch236,

 

Self-signed certificates are fine. The only drawback is that your browser does not recognize the authority (in this case "you") who signed the certificate and thus gives you those warnings.

 

With kind regards,

 

Michel

[auger66]

Hi Guys,

 

Thanks so very much for the feedback. Step by step instructions shall be available shortly.

 

With kind regards,

Michel

 

I'm about to install my other 994i in a remote location. Is their any progress on this?

 

Thanks.

[arw01]

I have been wondering the same thing. My isy warns me the certificate is the stock on when I connect outside my local network.

[Michel Kohanim]

Hi Guys

http://www.universal-devices.com/docs/I ... 0Guide.pdf page 9.

 

With kind regards,

Michel

[arw01]

Thanks Michel. I'm still a little confused..

 

What's the advantage to paying for a CA issued certificate versus doing a self signed?

 

What are good places to get a CA issued one if I decided to go that route?

 

So for using mobilinc (tablets, phone, kindle) with a port forwarded router, a few laptops, occassional outside the network machine, what am I going to experience on phones and tablets? How do i get a certificate on an android phone or tablet, especially a kindle.

 

Alan

[MWareman]

Consider using cacert (http://www.cacert.org/). You'll likely have to install their root - but they are a chain-of-trust style free ca. I use them for ssl on all of my systems rather than self signed (which becomes difficult to securely manage).

 

This is why NOT to do self signed. How do you verify that nobody has is performing a man in the middle attack on you if the cert is self signed? You would have to manually confirm the signature hash each time you connect.

 

Bottom line, using self signed cents leaves you open to man in the middle attacks on your ssl sessions - if you are connecting from or thru untrusted networks.

 

Michael.

[Scottmichaelj]

I would like to respond with a dumb question. Wouldn't a self signed ssl cert (or none) be ok if your using a VPN while remotely connecting therefore removing the "man in the middle"? I have been running an ISY for years now, never had a SSL cert, and use a VPN when connecting externally to any of my internal devices without issue. Just another thought?

[MWareman]

I would like to respond with a dumb question. Wouldn't a self signed ssl cert (or none) be ok if your using a VPN while remotely connecting therefore removing the "man in the middle"? I have been running an ISY for years now, never had a SSL cert, and use a VPN when connecting externally to any of my internal devices without issue. Just another thought?

 

If you use a VPN and don't expose the ISY at all to the Internet, then there is no need for SSL at all on the ISY - as long as your internal network is secure (no guest wifi etc..).

 

However, in my case at least, that would prevent effective use of products like MobiLinc, unless I dumb down the VPN choice to something that is easy to configure and automatic to use on both IOS and Android - like pptp (and I'm not willing to do that!).

[mitch236]

I have to say that unless I really don't understand what I'm doing, the instructions for installing a CA certificate don't work. I purchased the CA certificate from GoDaddy and downloaded it. There's no way to paste any type of information from the certificate to the ISY. I imported the certificate into the ISY using the CA certificate button and it is sitting there but I don't think that's the correct way. Can't anyone just give me step by step instructions that make sense?

[Michel Kohanim]

Hi mitch236,

 

Did you send a Certificate Request to GoDaddy?

 

What's your ISY's model number?

 

With kind regards,

Michel

[mitch236]

I am using the ISY994i/IR PRO and I sent the cert request to GoDaddy and received the cert. What I received doesn't look anything like what's in the ISY manual. I can't extract the "code" from the cert the way it is presented in the manual. I'm sure I did something wrong but it would be nice if someone could outline EXACTLY the steps to take and the type of certificate to order and how to EXACTLY install it. The manual assumes the end user understands something about certs where I don't have any experience at all. Perhaps someone could perform the whole process themselves while documenting the entire procedure?

[Michel Kohanim]

Hi mitch236,

 

Are you saying that you didn't get something that starts with:

===BEGIN CERTIFICATE===

 

And ends with:

===END CERTIFICATE===

 

The process is really what's outlined. Request a certificate, send it to CA, get the certificate and then install it. So, the main question right now is the above.

 

With kind regards,

Michel

[mitch236]

When I download the cert, this is what I see:

 

 

Can you tell me which choice to make?

[Michel Kohanim]

Hi mitch236,

 

This is a zip file. If you don't mind, you can send me your zip file and I can take a look ... please note that this is not secure since I will have access to your certificate. My email is support@universal-devices.com .

 

With kind regards,

Michel

[mitch236]

Thanks for helping me! One more question, how do I check to see if the cert is successfully installed?

[Michel Kohanim]

Hi mitch236,

 

Apologies for tardy reply. Simply go to https://your.remote.ip.address and use your browser to inspect the certificate provided by ISY. It should have the parameters that you used to create the certificate (i.e. domain name or IP address).

 

With kind regards,

Michel

[mitch236]

When I navigate to my ISY using my browser, this is the message I see which I think proves my certificate is correctly installed:

 

 

 

But when I select Admin Console, here is what I see:

 

 

 

 

 

What does this mean?