abartello Posted December 15, 2013 Posted December 15, 2013 I must admit, I am at a total loss when it comes to understanding SSL certificates, what they are, where they reside, why they have to be approved, etc. Up until now, I have managed to ignore the SSL Certificates message on my screen when going into Admin Console to manage both by own ISY 994i at home, and my father's ISY994i remotely. However, since i upgraded both to Firmware 4.1.1, I can no longer access my father's ISY remotely. So I think I'm forced now to deal with this whole certificate thing. I use Mobilinc Connect to remotely access my father's ISY. Questions: 1) Can I set up an ISY to ignore the need for certificates all together, or is this required? 2) If I own the ISY, why can't I turn off the security feature all together? 3) If i need to get a certificate, what is the procedure? I read the SSL UDI Guide but it doesn't explain the basics of certificates, where they reside and why they are needed. It assumes the user knows all this. 4) I went and followed the instructions, created and saved a CSR and submitted it. Now what? I wait for an email reply from the CA authority? When I get it, what do I do? 5) How do I translate this received certificate to my laptop for remote access? 6) What if I want to access my father's ISY from other machines? Forgive me, but the whole certificate thing is a big damper in using the ISY. Other than that, i am very pleased with the product. Tony
Michel Kohanim Posted December 15, 2013 Posted December 15, 2013 Hi Tony, 1) Can I set up an ISY to ignore the need for certificates all together, or is this required? You can simply install a self signed certificate. It's quite easy: page 9: http://www.universal-devices.com/docs/I ... 0Guide.pdf 2) If I own the ISY, why can't I turn off the security feature all together? No. 3) If i need to get a certificate, what is the procedure? I read the SSL UDI Guide but it doesn't explain the basics of certificates, where they reside and why they are needed. It assumes the user knows all this. You can start by a self-signed certificate for the Server. Simply fill out the fields and then click on the Self Signed button (see the link above) 4) I went and followed the instructions, created and saved a CSR and submitted it. Now what? I wait for an email reply from the CA authority? When I get it, what do I do? You don't need to do any of this. See above. 5) How do I translate this received certificate to my laptop for remote access? 6) What if I want to access my father's ISY from other machines? See above. Forgive me, but the whole certificate thing is a big damper in using the ISY. Other than that, i am very pleased with the product. Certificates are for your own security and privacy. You are welcome not to use https to access ISY but note that all the traffic is in clear text and any hacker can simply note when you are home and what you are doing. Simply, create a self-signed certificate. And, if you are still having problems, please submit a ticket (links below) and we'd be happy to help you out. With kind regards, Michel
abartello Posted December 17, 2013 Author Posted December 17, 2013 Michel - I read the guide, created my own self-signed certificate (I think), and rebooted my ISY as instructed. I still cannot connect to my ISY remotely using Mobilinc Connect. Evn tried exporting the PEM certificate to my desktop and importing it into my local machine. No luck. Tony
Michel Kohanim Posted December 17, 2013 Posted December 17, 2013 Hi Tony, MobiLinc Connect does not require certificates. Have you spoken to MobiLinc support? With kind regards, Michel
shannong Posted December 23, 2013 Posted December 23, 2013 1) Can I set up an ISY to ignore the need for certificates all together, or is this required? You can simply install a self signed certificate. It's quite easy: page 9: http://www.universal-devices.com/docs/I ... 0Guide.pdf That link is the same that pops up from the ISY when you hit "Request/Manage SSL certificates" under Help menu. The doc is for a version of ISY I don't recognize and the configuration windows it references don't exist. I've clicked all around in the GUI and cannot find where to create a CSR or configure the CA/CRL. I cannot find any references to certs in the User Guide. Arrgh! Please help!
shannong Posted December 23, 2013 Posted December 23, 2013 It's worth noting you can get a free SSL cert that's from a CA that is trusted by Windows, Mac, Linux, Chrome, Firefox, etc. Most of the common CAs that people are familiar with (e.g. Verisign, Entrust, etc) cost hundreds of dollars per year. This free one is called startcom.org. You don't need a publicly trusted cert. I just liking having one to avoid those annoying "untrusted cert" issues but like having strong encryption.
Michel Kohanim Posted December 23, 2013 Posted December 23, 2013 Hi shannong, Apologies: http://isy.universal-devices.com/994i/4 ... board.jnlp We tried that with CACert.org and had the same issues. In short, once you install a global certificate on ALL ISYs, then that certificate is only as good as the first time it's hacked. Nothing changes ... With kind regards, Michel
shannong Posted December 23, 2013 Posted December 23, 2013 Hi shannong, Apologies: http://isy.universal-devices.com/994i/4 ... board.jnlp This dashboard is new to me. It's not referenced anywhere in the User Guide and there's no link to it on the index page of the ISY. There's a reference to it in the Network Security Guide that is linked to when clicking "Request/Manage SSL Certificates" except the link in the guide is incorrect (/99i/ vs /9941/) so you get a 404. I just assumed the pictures in the guide were of a defunct version since they didn't match the console I'm familiar with and the URL was invalid. A) Why is the dashboard that's necessary to manage configuration not in the web index page or Admin console? Why doesn't the "Request/Manage SSL Certficates" menu option in the Admin console launch the dashboard?
shannong Posted December 23, 2013 Posted December 23, 2013 Hi shannong, We tried that with CACert.org and had the same issues. In short, once you install a global certificate on ALL ISYs, then that certificate is only as good as the first time it's hacked. Nothing changes ... With kind regards, Michel What same issues? The problem of the original poster? If so, I wasn't suggesting it was a fix for the problem. Doesn't matter if CA and cert are valid, that's easy to work around. Just annoying. Hi shannong, In short, once you install a global certificate on ALL ISYs, then that certificate is only as good as the first time it's hacked. Nothing changes ... With kind regards, Michel I'm not sure what you mean by "global certificate on ALL ISYs". There's no such thing as a "global" cert in certificate services. And you end with something that sounds like since something can be hacked any security efforts are pointless. Nothing changes? I think you read too much into my post. First it was just an FYI so that folks knew they could get a trusted cert for free by a CA that is already recognized by all major platforms. I specifically mentioned it wasn't necessary and but wanted encryption without the annoying pop-ups that occur to do an invalid cert being presented.
MWareman Posted December 23, 2013 Posted December 23, 2013 There are certain home routers that share a private key (what Michel refers to as a 'global cert'). This is really insecure, since anyone can access the private key and then decrypt others sessions.
shannong Posted December 23, 2013 Posted December 23, 2013 There are certain home routers that share a private key (what Michel refers to as a 'global cert'). This is really insecure, since anyone can access the private key and then decrypt others sessions. Yikes! Shame on them. Although, I'm sure the NSA appreciates it. I created a self-generated cert for my router using easy-rsa. I was thinking of standing up a CA on my linux box for my router, ISY, another server, and clients (for mutual auth) but instead I'll probably use smartcom.org now that I know they're free AND already trusted as a root authority by most platforms including Windows.
Steven Posted July 25, 2014 Posted July 25, 2014 I'm attempting to install a new certificate on my old ISY-99i using the free CA startssl.com. From the SSL Certificate Management utility, I select "Generate Certificate Request to CA" I fill out the form, and press Ok. Now it sits there with an hourglass and does nothing.
Michel Kohanim Posted July 25, 2014 Posted July 25, 2014 Hi Steven, Unfortunately you cannot install a new certificate on ISY99i since it's way too old. I am so very sorry. With kind regards, Michel
MustangChris04 Posted July 26, 2014 Posted July 26, 2014 If I connect to the ISY via HTTPS, it takes about 10 seconds for a command to be sent, whereas on HTTP it is nearly instantaneous. I know SSL has some extra overhead because of the handshaking and encryption, but 10 seconds!? If that is the case and this is typical, I may have to setup my webserver to receive the commands over HTTPs then relay it to the ISY on the local network via HTTP.
MWareman Posted July 26, 2014 Posted July 26, 2014 (edited) The initial SSL handshake is exteeamly expensive, computationally. The CPU in ISY literally takes most of 10 seconds to calculate a 2048bit handshake. Hopefully, a newer ISY hardware platform will have a crypto chip in it, but even the 994 does not currently. Two ways around it: Reverse proxy (as you describe). This works well, but the old event subscription method does not work thru this. This means you won't be able to properly use MobiLinc or the admin console thru the reverse proxy. The REST interface works well this way though, as does the new event subscription method. I really hope that the admin ui (and MobiLinc) switch to the new method ASAP. Or you can weaker security and use a weak certificate. This makes the math faster, but is now blocked from several browsers. With Tasker on Android, I define two URLs (one with SSL and one without). I use a profile that switches the URL out as I connect and disconnect from WiFi. This means I use SSL when not at home, and don't when I'm at home. Edited July 26, 2014 by MWareman
Michel Kohanim Posted July 27, 2014 Posted July 27, 2014 Hi MWareman, thank you and you are right on. Hi MustangChris04, this is only the case for initial connection. If your client (most do) supports session resume, then all other subsequent connections/commands should be almost as immediate as regular http. With kind regards, Michel
MikeAtTheLake Posted September 13, 2014 Posted September 13, 2014 Members 1 posts 0 warning points Posted Today, 03:17 AM I just bought the 994i. I installed it and now I can see all of my devices. I am having all the same problems listed in this thread. I read the documents (pg 9), loaded the dashboard, etc. 1) I tried using CACERT but I don't have a verifiable domain 2) I tried a self signed certificate but I get certificate errors when I try to hit it using the internet 3) I tried both server and client certificates with no luck 4) Without the certificate, I can't use some software that I found for my phone. It sees the certificate errors and says that it won't continue How do I make this work? After four hours of frustration, I'm almost ready to send the unit back. I'm 95% there and can't get past these certificate problems. I'd appreciate any help
Michel Kohanim Posted September 15, 2014 Posted September 15, 2014 Hi MikeAtTheLake, Please upgrade to 4.2.10 and retry: http://forum.universal-devices.com/topic/13892-release-4210-rc4-is-now-available/ Here are the instructions for setting up certificates: http://www.universal-devices.com/docs/ISY994%20Series%20Network%20Security%20Guide.pdf With kind regards, Michel
Goose66 Posted October 20, 2014 Posted October 20, 2014 (edited) I have a domain name/port routed through my router to my ISY 994i Pro port 443. When I access the ISY 994i remotely using https://<domain name>:port#, the Chrome Web Browser scratches out the https:. If I start the Admin Console, I get a warning saying the ISY is setup with the default SSL certificate and that is a security risk. I select the button to configure SSL Certificates and get the guide mentioned above. I have downloaded the Dashboard mentioned in the guide for version 4.2.16 and tried to create a self-signed Server certificate according to the instructions. The fields of the server certificate dialog are not described in the guide: 1) Issuer is blank and I can't set it to anything 2) Fingerprint is blank and I leave it blank 3) Email Address is blank and I have tried with and without When I fill out the fields and click "Self Signed" I get a pop-up box that asks whether I have filled out the fields properly, I click yes, and I get 5 errors saying "Subject class type invalid." Any help here would be appreciated. Thanks. Edited October 20, 2014 by kingwr
Michel Kohanim Posted October 20, 2014 Posted October 20, 2014 Hi kingwr, I am so very sorry: the issue is that Java 1.8 removed a few of the methods in X509CertInfo ... we have already fixed it and will include in the next firmware release (hopefully this week). If you are in a rush, the only solution is to revert to Java 1.7. For self signed certificates: 1. Issuer = Host (you are signing your own certificate) so leave it blank 2. Fingerprint is calculated so whatever you put in there will be ignored With kind regards,Michel
stephan Posted December 31, 2015 Posted December 31, 2015 Resurrecting this thread as I have the same problem with the weak certificate and the fact that browsers reject this. I also have a the problem that MobiLink with SSL is not as reliable as without. According to the MobiLinc support this is caused by the slow response from the ISY (10sec to establish a connection). Turning of SSL though is not an option for me. I currently have a ISY994i and would the PRO version have a faster processor that allows me to upgrade to a better/stronger certificate ?
Michel Kohanim Posted December 31, 2015 Posted December 31, 2015 Hi stephan, PRO has the same processor. If you are not already on 4.3.26, then you should try it since it should take between 4-6 seconds for a 2048 bit certificate and 2-3 seconds for 1024. With kind regards, Michel
parkersmith Posted January 23, 2017 Posted January 23, 2017 (edited) Does anyone have a step-by-step guide on how to implement a free startssl.org SSL cert with the ISY994i? I spent most of yesterday experimenting with this, but could never get error free. My Mac Safari browser would show the the Startcom certificate, but said their was a problem with it with no explanation. There has to be an easier way to set up SSL certs like Synology does with Let'sEncrypt. Would have to be implemented into the shell I know. I have to admit, the setup was pretty pain free when setting up on my Synology NAS and Let'sEncrypt. Would be awesome if this was under consideration by UDI. Edited January 23, 2017 by parkersmith
DennisC Posted January 24, 2017 Posted January 24, 2017 Does anyone have a step-by-step guide on how to implement a free startssl.org SSL cert with the ISY994i? I spent most of yesterday experimenting with this, but could never get error free. My Mac Safari browser would show the the Startcom certificate, but said their was a problem with it with no explanation. There has to be an easier way to set up SSL certs like Synology does with Let'sEncrypt. Would have to be implemented into the shell I know. I have to admit, the setup was pretty pain free when setting up on my Synology NAS and Let'sEncrypt. Would be awesome if this was under consideration by UDI. I can give you some broad brush information on how I was able to accomplish this on my Win 10 setup. Not sure if there would be any differences on a Mac. Open Dashboard Open Network Select “Server Certificate” Complete Certificate Information Select “Cert. Request” Copy information Go to Certificate Authority (ex. Startssl.com) Request PEM SSL Certificate (ex. DV SSL Certificate) and paste request from ISY Save files, including intermediate certificate Unzip certificates from “Other File” Back to ISY From Certificate Information screen, select “Receive Cert.” Open certificate in text editor and copy content Paste in to ISY “Receive Cert.” box Select yes for loading Intermediate Certificate Import all 3 certificates in to ISY Save If successful, ISY will reboot The ISY will expect the certificate in PEM format (at least this is the only format that I was able to get working). Also, the one caveat here is, Startssl.com will want to verify your identity to create your free account. This is done by sending an email to your account domain name. If you are not set up to receive this email, you will need to arrange for email forwarding. Also, on the Startssl.com site, either when requesting the certificate or when you sign up, you need to select your domain and select add to move forward in the process. I don't remember which step this applied to. Dennis
Recommended Posts