Jump to content

SSL Certificates


abartello

Recommended Posts

I must admit, I am at a total loss when it comes to understanding SSL certificates, what they are, where they reside, why they have to be approved, etc. Up until now, I have managed to ignore the SSL Certificates message on my screen when going into Admin Console to manage both by own ISY 994i at home, and my father's ISY994i remotely. However, since i upgraded both to Firmware 4.1.1, I can no longer access my father's ISY remotely. So I think I'm forced now to deal with this whole certificate thing.

I use Mobilinc Connect to remotely access my father's ISY.

 

Questions:

1) Can I set up an ISY to ignore the need for certificates all together, or is this required?

2) If I own the ISY, why can't I turn off the security feature all together?

3) If i need to get a certificate, what is the procedure? I read the SSL UDI Guide but it doesn't explain the basics of certificates, where they reside and why they are needed. It assumes the user knows all this.

4) I went and followed the instructions, created and saved a CSR and submitted it. Now what? I wait for an email reply from the CA authority? When I get it, what do I do?

5) How do I translate this received certificate to my laptop for remote access?

6) What if I want to access my father's ISY from other machines?

 

Forgive me, but the whole certificate thing is a big damper in using the ISY. Other than that, i am very pleased with the product.

 

Tony

Link to comment

Hi Tony,

 

1) Can I set up an ISY to ignore the need for certificates all together, or is this required?

You can simply install a self signed certificate. It's quite easy: page 9: http://www.universal-devices.com/docs/I ... 0Guide.pdf

 

2) If I own the ISY, why can't I turn off the security feature all together?

No.

 

3) If i need to get a certificate, what is the procedure? I read the SSL UDI Guide but it doesn't explain the basics of certificates, where they reside and why they are needed. It assumes the user knows all this.

You can start by a self-signed certificate for the Server. Simply fill out the fields and then click on the Self Signed button (see the link above)

4) I went and followed the instructions, created and saved a CSR and submitted it. Now what? I wait for an email reply from the CA authority? When I get it, what do I do?

You don't need to do any of this. See above.

5) How do I translate this received certificate to my laptop for remote access?

6) What if I want to access my father's ISY from other machines?

See above.

 

Forgive me, but the whole certificate thing is a big damper in using the ISY. Other than that, i am very pleased with the product.

Certificates are for your own security and privacy. You are welcome not to use https to access ISY but note that all the traffic is in clear text and any hacker can simply note when you are home and what you are doing. Simply, create a self-signed certificate. And, if you are still having problems, please submit a ticket (links below) and we'd be happy to help you out.

 

With kind regards,

Michel

Link to comment

Michel -

 

I read the guide, created my own self-signed certificate (I think), and rebooted my ISY as instructed. I still cannot connect to my ISY remotely using Mobilinc Connect. Evn tried exporting the PEM certificate to my desktop and importing it into my local machine. No luck.

Tony

Link to comment

 

1) Can I set up an ISY to ignore the need for certificates all together, or is this required?

 

You can simply install a self signed certificate. It's quite easy: page 9: http://www.universal-devices.com/docs/I ... 0Guide.pdf

 

 

That link is the same that pops up from the ISY when you hit "Request/Manage SSL certificates" under Help menu. The doc is for a version of ISY I don't recognize and the configuration windows it references don't exist. I've clicked all around in the GUI and cannot find where to create a CSR or configure the CA/CRL. I cannot find any references to certs in the User Guide.

 

Arrgh! Please help!

Link to comment

It's worth noting you can get a free SSL cert that's from a CA that is trusted by Windows, Mac, Linux, Chrome, Firefox, etc. Most of the common CAs that people are familiar with (e.g. Verisign, Entrust, etc) cost hundreds of dollars per year. This free one is called startcom.org.

 

You don't need a publicly trusted cert. I just liking having one to avoid those annoying "untrusted cert" issues but like having strong encryption.

Link to comment

 

This dashboard is new to me. It's not referenced anywhere in the User Guide and there's no link to it on the index page of the ISY. There's a reference to it in the Network Security Guide that is linked to when clicking "Request/Manage SSL Certificates" except the link in the guide is incorrect (/99i/ vs /9941/) so you get a 404. I just assumed the pictures in the guide were of a defunct version since they didn't match the console I'm familiar with and the URL was invalid.

 

A) Why is the dashboard that's necessary to manage configuration not in the web index page or Admin console?

 

B) Why doesn't the "Request/Manage SSL Certficates" menu option in the Admin console launch the dashboard?

Link to comment
Hi shannong,

 

We tried that with CACert.org and had the same issues. In short, once you install a global certificate on ALL ISYs, then that certificate is only as good as the first time it's hacked. Nothing changes ...

 

With kind regards,

Michel

 

What same issues? The problem of the original poster? If so, I wasn't suggesting it was a fix for the problem. Doesn't matter if CA and cert are valid, that's easy to work around. Just annoying.

 

Hi shannong,

 

In short, once you install a global certificate on ALL ISYs, then that certificate is only as good as the first time it's hacked. Nothing changes ...

 

With kind regards,

Michel

 

I'm not sure what you mean by "global certificate on ALL ISYs". There's no such thing as a "global" cert in certificate services. And you end with something that sounds like since something can be hacked any security efforts are pointless. Nothing changes?

 

I think you read too much into my post. First it was just an FYI so that folks knew they could get a trusted cert for free by a CA that is already recognized by all major platforms. I specifically mentioned it wasn't necessary and but wanted encryption without the annoying pop-ups that occur to do an invalid cert being presented.

Link to comment
There are certain home routers that share a private key (what Michel refers to as a 'global cert'). This is really insecure, since anyone can access the private key and then decrypt others sessions.

 

Yikes! Shame on them. Although, I'm sure the NSA appreciates it. ;)

 

I created a self-generated cert for my router using easy-rsa. I was thinking of standing up a CA on my linux box for my router, ISY, another server, and clients (for mutual auth) but instead I'll probably use smartcom.org now that I know they're free AND already trusted as a root authority by most platforms including Windows.

Link to comment
  • 7 months later...

I'm attempting to install a new certificate on my old ISY-99i using the free CA startssl.com.

 

From the SSL Certificate Management utility, I select "Generate Certificate Request to CA" I fill out the form, and press Ok.

Now it sits there with an hourglass and does nothing.

Link to comment

If I connect to the ISY via HTTPS, it takes about 10 seconds for a command to be sent, whereas on HTTP it is nearly instantaneous. I know SSL has some extra overhead because of the handshaking and encryption, but 10 seconds!?

 

If that is the case and this is typical, I may have to setup my webserver to receive the commands over HTTPs then relay it to the ISY on the local network via HTTP.

Link to comment

The initial SSL handshake is exteeamly expensive, computationally. The CPU in ISY literally takes most of 10 seconds to calculate a 2048bit handshake.

Hopefully, a newer ISY hardware platform will have a crypto chip in it, but even the 994 does not currently.

 

Two ways around it:

 

Reverse proxy (as you describe). This works well, but the old event subscription method does not work thru this. This means you won't be able to properly use MobiLinc or the admin console thru the reverse proxy. The REST interface works well this way though, as does the new event subscription method. I really hope that the admin ui (and MobiLinc) switch to the new method ASAP.

 

Or you can weaker security and use a weak certificate. This makes the math faster, but is now blocked from several browsers.

 

With Tasker on Android, I define two URLs (one with SSL and one without). I use a profile that switches the URL out as I connect and disconnect from WiFi. This means I use SSL when not at home, and don't when I'm at home.

Edited by MWareman
Link to comment
  • 1 month later...

Posted Today, 03:17 AM

I just bought the 994i. I installed it and now I can see all of my devices.

 

I am having all the same problems listed in this thread. I read the documents (pg 9), loaded the dashboard, etc.

 

1) I tried using CACERT but I don't have a verifiable domain

2) I tried a self signed certificate but I get certificate errors when I try to hit it using the internet

3) I tried both server and client certificates with no luck

4) Without the certificate, I can't use some software that I found for my phone. It sees the certificate errors and says that it won't continue

 

How do I make this work? After four hours of frustration, I'm almost ready to send the unit back. I'm 95% there and can't get past these certificate problems.

 

I'd appreciate any help

Link to comment
  • 1 month later...

I have a domain name/port routed through my router to my ISY 994i Pro port 443. When I access the ISY 994i remotely using https://<domain name>:port#, the Chrome Web Browser scratches out the https:. If I start the Admin Console, I get a warning saying the ISY is setup with the default SSL certificate and that is a security risk. I select the button to configure SSL Certificates and get the guide mentioned above. I have downloaded the Dashboard mentioned in the guide for version 4.2.16 and tried to create a self-signed Server certificate according to the instructions. The fields of the server certificate dialog are not described in the guide:

 

1) Issuer is blank and I can't set it to anything

2) Fingerprint is blank and I leave it blank

3) Email Address is blank and I have tried with and without

 

When I fill out the fields and click "Self Signed" I get a pop-up box that asks whether I have filled out the fields properly, I click yes, and I get 5 errors saying "Subject class type invalid."

 

Any help here would be appreciated.

 

Thanks.

Edited by kingwr
Link to comment

Hi kingwr,

 

I am so very sorry: the issue is that Java 1.8 removed a few of the methods in X509CertInfo ... we have already fixed it and will include in the next firmware release (hopefully this week). If you are in a rush, the only solution is to revert to Java 1.7.

 

For self signed certificates:

1. Issuer = Host (you are signing your own certificate) so leave it blank

2. Fingerprint is calculated so whatever you put in there will be ignored

 

With kind regards,
Michel

Link to comment
  • 1 year later...

Resurrecting this thread as I have the same problem with the weak certificate and the fact that browsers reject this. I also have a the problem that MobiLink with SSL is not as reliable as without. According to the MobiLinc support this is caused by the slow response from the ISY (10sec to establish a connection). Turning of SSL though is not an option for me.

 

I currently have a ISY994i and would the PRO version have a faster processor that allows me to upgrade to a better/stronger certificate ?

Link to comment
  • 1 year later...

Does anyone have a step-by-step guide on how to implement a free startssl.org SSL cert with the ISY994i? I spent most of yesterday experimenting with this, but could never get error free. My Mac Safari browser would show the the Startcom certificate, but said their was a problem with it with no explanation. There has to be an easier way to set up SSL certs like Synology does with Let'sEncrypt. Would have to be implemented into the shell I know. I have to admit, the setup was pretty pain free when setting up on my Synology NAS and Let'sEncrypt. Would be awesome if this was under consideration by UDI. 

Edited by parkersmith
Link to comment

Does anyone have a step-by-step guide on how to implement a free startssl.org SSL cert with the ISY994i? I spent most of yesterday experimenting with this, but could never get error free. My Mac Safari browser would show the the Startcom certificate, but said their was a problem with it with no explanation. There has to be an easier way to set up SSL certs like Synology does with Let'sEncrypt. Would have to be implemented into the shell I know. I have to admit, the setup was pretty pain free when setting up on my Synology NAS and Let'sEncrypt. Would be awesome if this was under consideration by UDI. 

 

I can give you some broad brush information on how I was able to accomplish this on my Win 10 setup. Not sure if there would be any differences on a Mac.

 

 

Open Dashboard

Open Network

Select “Server Certificate”

Complete Certificate Information

Select “Cert. Request”

Copy information

 

Go to Certificate Authority (ex. Startssl.com)

Request PEM SSL Certificate (ex. DV SSL Certificate) and paste request from ISY

Save files, including intermediate certificate

Unzip certificates from “Other File”

 

Back to ISY

From Certificate Information screen, select “Receive Cert.”

Open certificate in text editor and copy content

Paste in to ISY “Receive Cert.” box

Select yes for loading Intermediate Certificate

Import all 3 certificates in to ISY

Save

If successful, ISY will reboot

 

The ISY will expect the certificate in PEM format (at least this is the only format that I was able to get working). Also, the one caveat here is, Startssl.com will want to verify your identity to create your free account. This is done by sending an email to your account domain name. If you are not set up to receive this email, you will need to arrange for email forwarding. 

 

Also, on the Startssl.com site, either when requesting the certificate or when you sign up, you need to select your domain and select add to move forward in the process. I don't remember which step this applied to.

 

Dennis

Link to comment
Guest
This topic is now closed to further replies.

×
×
  • Create New...