Michel Kohanim Posted February 19, 2010 Posted February 19, 2010 Hi mitch236, As markens suggested, we do not support client certificates and have no plans on doing so. So, you would still have to manage userid/password. Please try another self signed certificate. To do so: 1. ensure you have 2.7.11 2. go to https://www.universal-devices.com/ssl/insteon With kind regards, Michel
Michel Kohanim Posted February 19, 2010 Posted February 19, 2010 Hi Mark: Michel, I thought about this process a bit more, and have several more questions I'm hoping you can clarify since I can't test on my 2.7.7 ISY: - When selecting the Generate Certificate Request to CA option, is the current SSL operation of the ISY affected at that point? No it is not. I.e., will a currently installed self-signed cert continue to work? (Say a CSR is generated and a resulting signed cert is never "received" into the ISY.) Yes. Specifically, does the private key generated at this point overwrite the existing private key components in the ISY, rendering the previous certificate unusable? No. - If the ISY is affected, then presumably the old cert file could be restored, or a new self-signed cert be installed. ISY is not affected at all UNLESS you use "Import/Install options" ... - Does Generate Certificate Request to CA generate a new private key every time this is selected? (So every generated CSR has a new private key associated with it?) Yes and the client only memorizes the last one. As such, if you issue CSRs, you will have errors if you try to import the certificate for the former. With kind regards, Michel
jch Posted March 7, 2010 Author Posted March 7, 2010 I thought I posted this reply last night, but it does not seem to have shown up... Is this known to work on 2.7.12? Whatever I type in the Certificate Request Parameters pop-up, I do not see a certificate. I've tried it on both Linux and Windows. Thanks. Jeff
Michel Kohanim Posted March 7, 2010 Posted March 7, 2010 Hi Jeff, Sincere apologies ... wrong library version was installed. Please do be kind enough to clear your java cache and retry: http://www.universal-devices.com/ssl/insteon With kind regards, Michel
markens Posted March 7, 2010 Posted March 7, 2010 Now that I'm up to 2.7.12, I used the SSL utility to generate a CSR and install the signed cert from my CA. It all worked fine, and my new cert was installed and is active on the ISY. Very nice, thanks. One glitch: After I pasted the signed cert into the popup window to be received and hit OK, that popup went away and I was prompted to save UD.DCF. That appeared to work ok. But UD.DCF did not seem to be actually written to the specified location. I can retrieve it from ISY backup, but something seems amiss here. --Mark
Michel Kohanim Posted March 8, 2010 Posted March 8, 2010 Hi Mark, If you do not have user accounts off on Vista/Windows 7, then the file will not be stored in any location except in Java's temp directory. With kind regards, Michel
markens Posted March 8, 2010 Posted March 8, 2010 If you do not have user accounts off on Vista/Windows 7, then the file will not be stored in any location except in Java's temp directory. This is XP. The file save dialog was for the specific folder I wanted to save in, and I hit ok. Afterward (when I saw the file was not there), I did a search of the entire disk to see if it actually was saved somewhere else, and it was not found. And the file save via the SSL utility worked fine (to this same folder) when I saved the key file generated for self-signed cert. The workaround is to retrieve the key from the ISY backup, so I'm not too worried about this. But the behavior is pretty strange and does seem buggy to me (especially with no error that file could not be saved where specified). --Mark
Michel Kohanim Posted March 8, 2010 Posted March 8, 2010 Hi Mark, You are 100% correct ... I think it had to do with our paranoia about security: the certificate holds your private key and we felt that it should not be stored on your machine and thus it was deleted after the installation. We just made a change that asks the user whether or not the file should be stored on the machine with a warning that this might constitute a security risk. Thanks again and with kind regards, Michel
markens Posted March 8, 2010 Posted March 8, 2010 Hi Michel, You are 100% correct ... I think it had to do with our paranoia about security: the certificate holds your private key and we felt that it should not be stored on your machine and thus it was deleted after the installation. Paranoia about security is a good thing. Thanks for the explanation. The big disconnect in my mind was the different behavior of saving self-signed cert vs CA-signed cert. And it only mattered to me because of the issue I had a few weeks ago when I lost the ability in 2.7.7 to generate a new cert. Most likely not going to be a problem going forward. We just made a change that asks the user whether or not the file should be stored on the machine with a warning that this might constitute a security risk. Sounds like a good resolution. Thanks! --Mark
Recommended Posts