Teken Posted August 4, 2018 Share Posted August 4, 2018 15 minutes ago, apostolakisl said: This is precisely what I did. The only difference is the exported file from ISY had no file type extension at all. I told ISY to name the file "ISY" when doing the export which it did. The name of the certificate itself is different. The import said it was successful and the name of the certificate showing in the list of certificates is correct, so it obviously read and understood the file since that name was contained within the file. From ISY dashboard, I opened the "server certificate" configuration and hit the "export" button at the bottom to create this file. In the save as window, the only option for saving is "all files" and it put no extension on it at all. Perhaps I am exporting the wrong thing? This is just one of a dozen examples / reasons this whole certificate frame work is a complete joke. If one needs to break out the *Super Decoder Ring* just to insert a file. What is the expected success rate never mind the adoption rate of this implementation?!?! This exact topic comes up many times per year and when you read the reply as to *How To* your eyes just glaze over in disbelief . . . Link to comment
MWareman Posted August 5, 2018 Share Posted August 5, 2018 This is precisely what I did. The only difference is the exported file from ISY had no file type extension at all. I told ISY to name the file "ISY" when doing the export which it did. The name of the certificate itself is different. The import said it was successful and the name of the certificate showing in the list of certificates is correct, so it obviously read and understood the file since that name was contained within the file. If your self-signed cert is in the root store, you are gtg. However, hopefully your self-signed cert contains the necessary attributes. There should be a ‘Subject’ that contains the dns name you will be accessing the ISY with - as well as a SAN (Subject Alternate Name) also containing the DNS name you will be accessing the ISY with. Without the two locations for the DNS name you will be using Chrome will still complain about the certificate... Link to comment
MWareman Posted August 5, 2018 Share Posted August 5, 2018 This is just one of a dozen examples / reasons this whole certificate frame work is a complete joke. If one needs to break out the *Super Decoder Ring* just to insert a file. What is the expected success rate never mind the adoption rate of this implementation?!?! This exact topic comes up many times per year and when you read the reply as to *How To* your eyes just glaze over in disbelief . . . That’s why they (allegedly) pay us infosec types the big bucks.... I wish....For sure, certificates are not a trivial subject to understand. But there really is no mystery to it after you know the math... Link to comment
Teken Posted August 5, 2018 Share Posted August 5, 2018 2 minutes ago, MWareman said: That’s why they (allegedly) pay us infosec types the big bucks.... I wish.... For sure, certificates are not a trivial subject to understand. But there really is no mystery to it after you know the math... I think you would be one of the best people to start a new WiKi entry with respect to security certificates. Using a combination of images and texts outlining the prerequisites, requirements, and choices from free to paid certificates. I believe what really needs to be done is a comprehensive *How To* that any lay person can follow. Once that was in place more advanced topics and subject matter could be included as time allows. Link to comment
apostolakisl Posted August 5, 2018 Share Posted August 5, 2018 40 minutes ago, MWareman said: If your self-signed cert is in the root store, you are gtg. However, hopefully your self-signed cert contains the necessary attributes. There should be a ‘Subject’ that contains the dns name you will be accessing the ISY with - as well as a SAN (Subject Alternate Name) also containing the DNS name you will be accessing the ISY with. Without the two locations for the DNS name you will be using Chrome will still complain about the certificate... Not sure what you are referring to. Subject and SAN are things that I have never seen. They are not part of the ISY certificate management. At present, it doesn't matter whether I go to my ddns name or to the LAN ip address. Incidentally, I am accessing my ISY from inside my LAN, if that changes anything. Link to comment
MWareman Posted August 5, 2018 Share Posted August 5, 2018 Not sure what you are referring to. Subject and SAN are things that I have never seen. They are not part of the ISY certificate management. At present, it doesn't matter whether I go to my ddns name or to the LAN ip address. Incidentally, I am accessing my ISY from inside my LAN, if that changes anything. You are correct - they are not part of the ISY. It’s a Chrome requirement (that other browsers are expected to adopt in the coming months)https://support.google.com/chrome/a/answer/7391219?hl=enWhen using TLS - it’s important that you always use the name present in the certificate to access your ISY. Otherwise, your connection will still throw a warning. Link to comment
MWareman Posted August 5, 2018 Share Posted August 5, 2018 I think you would be one of the best people to start a new WiKi entry with respect to security certificates. Using a combination of images and texts outlining the prerequisites, requirements, and choices from free to paid certificates. I believe what really needs to be done is a comprehensive *How To* that any lay person can follow. Once that was in place more advanced topics and subject matter could be included as time allows. I’ve started drafting such a thing many times. The problem is, there is much to it and no substitute for an understanding of the underlying math. It ends up novel sized, and loses usefulness. Add to that the implementations are a moving target and screenshots would rapidly get out of date. Doing a quick search - there are plenty of so-called ‘certificates 101’ type articles out there - but all I’ve found so far fail to actually address the kind of issues I regularly face. There is an interesting analogy on the MSDN blog (https://blogs.msdn.microsoft.com/freddyk/2017/02/06/ssl-certificates-101/). Imagine that any third party can write a note asserting they are Freddy and you are pretty close to the issue here... in the real world - if you know the persons signature you can validate it - but with self signed certificates a third party can create an exact duplicate in all except the public key itself, compromising your connection unless pinning is used (pinning actually confirms the public key matches what’s expected - meaning the private key is consistent with the first connection you made to the server and assuring no third party has presented you with a forged self-signed certificate). Truly, the *best* way to make this easy is to integrate LetsEncrypt right int the ISY.... Link to comment
Scottmichaelj Posted August 5, 2018 Share Posted August 5, 2018 Truly, the *best* way to make this easy is to integrate LetsEncrypt right int the ISY.... I hope this makes in into the new box. Link to comment
MWareman Posted August 5, 2018 Share Posted August 5, 2018 I hope this makes in into the new box. Rumor is it’s based on a flavor of BSD - so there should be no OS limitation to implementing it.... hopefully! Link to comment
apostolakisl Posted August 5, 2018 Share Posted August 5, 2018 2 hours ago, MWareman said: You are correct - they are not part of the ISY. It’s a Chrome requirement (that other browsers are expected to adopt in the coming months)https://support.google.com/chrome/a/answer/7391219?hl=en When using TLS - it’s important that you always use the name present in the certificate to access your ISY. Otherwise, your connection will still throw a warning. I just tried using IE. I get the warning on that too. In creating my self-signed certifcate, I put "host name" as http://mydomainname.biz Should have I made it: mydomainname.biz or https://mydomainname.biz? Link to comment
MWareman Posted August 5, 2018 Share Posted August 5, 2018 I just tried using IE. I get the warning on that too. In creating my self-signed certifcate, I put "host name" as http://mydomainname.biz Should have I made it: mydomainname.biz or https://mydomainname.biz? The name in the cert must just be the host name - no protocol. So, “mydomainname.biz” (without quotes) if your ISY ‘A’ DNS record is at the domain root (and that’s what you use in your browser to access ISY) - or “isy.mydomainname.biz” if your A DNS record is a host within your domain. Link to comment
apostolakisl Posted August 5, 2018 Share Posted August 5, 2018 18 minutes ago, MWareman said: The name in the cert must just be the host name - no protocol. So, “mydomainname.biz” (without quotes) if your ISY ‘A’ DNS record is at the domain root (and that’s what you use in your browser to access ISY) - or “isy.mydomainname.biz” if your A DNS record is a host within your domain. Well I try creating a new certificate and getting rid of the http:// Nope. Still doesn't work. Although it exported as a PEM file this time, for whatever that means. Link to comment
Teken Posted August 5, 2018 Share Posted August 5, 2018 1 hour ago, MWareman said: Rumor is it’s based on a flavor of BSD - so there should be no OS limitation to implementing it.... hopefully! No doubt my request is no small feat in what's required to provide a *How To* for security certificates. If this new box offers an easy method to secure the connection from LAN ~ WAN. This will reduce the amount of questions on the forum and support traffic to UDI. Looking forward to the release of this new box and providing some needed income to the UDI company. I know Michel indicated in the past he didn't like to take anyone's money for a product not in existence. But, I believe if a IndiGoGo / Kickstarter project should be started to help support and usher such a box in. This would allow the community to help test, validate, and offer insight as to how to do better. Speaking for myself only I hope very much this box or similar will be the corner stone of the next 99X controller. As the current model simply does not have enough HP to run its base function of X-10, Insteon, Z-Wave, never mind Energy Management. Michel, please take this as my formal reply as being open, able, and willing to help test such a beast with respect to Energy Monitoring, Node Servers, et all. As I am sure many of the fine people on this forum who have provided endless insight and feedback in the 5.XX platform. Cheers! Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.