Jump to content

Importing Certificate

Steven

By Steven
in ISY994

Recommended Posts

Steven New

Steven

Posted
Posted

I got a certificate from startssl.com, and converted it into PFX format.

 

I then started the Dashboard and brought up the "Network" dialog.

I brought up the "SSL Certificates Management"  dialog, clicked on the "Import Cert." button, and opened my PFX certificate.

 

It asked for the private key password, which I know I typed correctly, because it gave an error when I typed the wrong password on purpose. It then asked me "Would you like to import this certificate", and I answered "Yes".

 

At this point it brought up a confusing popup that said only:

 

! /CONF/ISYKS.SRV

 

After clicking that away, the certificate information showed what I expected:

 

Issuer: StartCom Class 1 Primary Intermediate Server CA

Host Name: (My dynamic DNS host name to my home router)

Country: US

Fingerprint: (A long hex string)

Key Strength: 2048

 

At this point it was not clear what to do next. I closed the dialog, and the documentation implied that the ISY would restart, but it didn't, so I rebooted it myself.

 

However, when it came back up, it was still using the self-signed isy.universal-devices.com certificate.

 

How do I get my certificate onto the box?

 

It's an ISY 994i running 4.0.5.

 

Link to comment
Steven New

Steven

Posted
  • Author
Posted

By the way, here are the details of the certificate I'm attempting to import:

 

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)

        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            X509v3 Key Usage:
            Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
            TLS Web Server Authentication
            X509v3 CRL Distribution Points:
            URI:http://crl.startssl.com/crt1-crl.crl

            Authority Information Access:
            OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
            CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt

            X509v3 Issuer Alternative Name:
            URI:http://www.startssl.com/

 

    Signature Algorithm: sha1WithRSAEncryption

Link to comment
Steven New

Steven

Posted
  • Author
Posted

You are probably trying to do this over an SSL connection. Please try it on a regular http connection.

 

Whoo hoo! That got me much further. Now, I have another issue (to which I suspect the answer may be that I need the PRO version):

 

The certificate got imported to the ISY-994i, but the browser (Firefox in this case) doesn't have the intermediate certificates. Firefox gives this error:

The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

I was able to work around this with a per-browser solution by importing the intermediate certificate from www.startssl.com/certs/sub.class1.server.ca.pem. It would be nice to have this stored on the ISY-994i.

 

I understand that multiple certificates (for example, the main certificate and the intermediate certificate) can be put into one PFX file. I tried that, but it didn't seem to make a difference, but that could be because I did it wrong.

 

Question: Does the ISY-944i read multiple certificates from a PFX file, and does it send all the certificates to an incoming SSL connection?

Link to comment

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...