Certificates

[GQuack]

So right off - I have almost no knowledge about how certificates work. I've read the network security document on the website, read numerous posts, installed the dashboard, and made my attempt at creating a self signed certificate. All that seemed to go OK. My question: do I need to also create a client certificate? The network security guide says client certificates are created the same way as server certificates but nothing about whether they NEED to be created.

[shannong]

In this case the use of the word "client" means the ISY is acting as a client connecting to another TLS/SSL server. This might be a security system, for example.

 

TLS encryption is performed using the server's certificate, not the client's. Client certs are only used for authentication. Whether or not you need to create a valid client certificate would depend on whether this other server resource is attempting to validate client certificates. If not, there's no reason for the ISY to have one and it would have no use.

[GQuack]

So can you point me to what I have not completed or did incorrectly that I am still getting the certificate error when I am connecting remotely? Or is this normal?

[shannong]

Please be more specific when you say "remotely" and "errors".

[GQuack]

Via laptop on a network outside of my local network at home. Using IE, I do connect but get a certificate error: Mismatched address. The security certificate presented by this website was issued for a different website's address. This problem might indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage.

[shannong]

I'm assuming in your web browser you connect via the IP address of your broadband router.

 

Certs work off of names, which is the "Issued to" field. The names are used to authenticate and validate the server you're connecting to. When you're external and connect with the public IP of your router, the web browser sees that "name" (the IP address) doesn't match the name in the certificate that is being offered by your ISY through NAT (port forwarding).

 

So the error is normal and doesn't present a problem accept for annoyance. The traffic is still encrypted once you accept it.

 

Even if the names matched you'd still get an error since your web browser won't recognize the "Issued by" since it was self-signed by the ISY. That would require you getting a cert from a known public CA (issuer). You could also stand up your own CA internally to create certs for your home devices. There are free packages available for Windows and Linux.

 

It's probably not worth the effort, though.Somebody capable of conducting a man-in-the-middle attack to masquerade as your ISY would find much easier ways to infiltrate your home.