Jump to content

Importing Certificate

Steven

By Steven
in ISY994

Recommended Posts

Steven New

Steven

Posted
Posted

I got a certificate from startssl.com, and converted it into PFX format.

 

I then started the Dashboard and brought up the "Network" dialog.

I brought up the "SSL Certificates Management"  dialog, clicked on the "Import Cert." button, and opened my PFX certificate.

 

It asked for the private key password, which I know I typed correctly, because it gave an error when I typed the wrong password on purpose. It then asked me "Would you like to import this certificate", and I answered "Yes".

 

At this point it brought up a confusing popup that said only:

 

! /CONF/ISYKS.SRV

 

After clicking that away, the certificate information showed what I expected:

 

Issuer: StartCom Class 1 Primary Intermediate Server CA

Host Name: (My dynamic DNS host name to my home router)

Country: US

Fingerprint: (A long hex string)

Key Strength: 2048

 

At this point it was not clear what to do next. I closed the dialog, and the documentation implied that the ISY would restart, but it didn't, so I rebooted it myself.

 

However, when it came back up, it was still using the self-signed isy.universal-devices.com certificate.

 

How do I get my certificate onto the box?

 

It's an ISY 994i running 4.0.5.

 

Steven New

Steven

Posted
  • Author
Posted

I upgraded to 4.2.10. Now I get this error:

 

Socket Open Failed javax.net.ssl.SSLException: java.security.ProviderException: java.security.NoSuchAlgorithmException: SunTlsKeyMaterial KeyGenerator not available
Steven New

Steven

Posted
  • Author
Posted

By the way, here are the details of the certificate I'm attempting to import:

 

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)

        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            X509v3 Key Usage:
            Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
            TLS Web Server Authentication
            X509v3 CRL Distribution Points:
            URI:http://crl.startssl.com/crt1-crl.crl

            Authority Information Access:
            OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
            CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt

            X509v3 Issuer Alternative Name:
            URI:http://www.startssl.com/

 

    Signature Algorithm: sha1WithRSAEncryption

Steven New

Steven

Posted
  • Author
Posted (edited)

You are probably trying to do this over an SSL connection. Please try it on a regular http connection.

 

Whoo hoo! That got me much further. Now, I have another issue (to which I suspect the answer may be that I need the PRO version):

 

The certificate got imported to the ISY-994i, but the browser (Firefox in this case) doesn't have the intermediate certificates. Firefox gives this error:

The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

I was able to work around this with a per-browser solution by importing the intermediate certificate from www.startssl.com/certs/sub.class1.server.ca.pem. It would be nice to have this stored on the ISY-994i.

 

I understand that multiple certificates (for example, the main certificate and the intermediate certificate) can be put into one PFX file. I tried that, but it didn't seem to make a difference, but that could be because I did it wrong.

 

Question: Does the ISY-944i read multiple certificates from a PFX file, and does it send all the certificates to an incoming SSL connection?

Edited by Steven
Steven New

Steven

Posted
  • Author
Posted

Unfortunately not. At the moment, intermediate certificates must be installed in the browser.

 

Please take that as a feature request.

Guest
This topic is now closed to further replies.
Go to topic listing
×
×
  • Create New...