GJ Software Products Posted December 27, 2022 Posted December 27, 2022 I see talk of (and had to) accept the self-signed certificate for PG3 on eisy. “Dashboard“ is no longer an option from IoX Finder for my eisy. How can I install my own CA Certificate or a Cert signed by recognized CA on my new eisy? Somewhat like you do with AWS IoT. Or maybe you have to use a recognized CA? Are their any CAs already installed in eisy/PG3? How do you manage certificates on the eisy? Thanks.
bpwwer Posted December 27, 2022 Posted December 27, 2022 The eisy is supposed to manage all of the certificates it needs internally. If you want the UI to access PG3 with https, you have to trust the UDI self-signed certificate. The alternative is to use http to access the UI which will then do so without any ssl encryption.
GJ Software Products Posted December 28, 2022 Author Posted December 28, 2022 17 minutes ago, bpwwer said: The eisy is supposed to manage all of the certificates it needs internally. If you want the UI to access PG3 with https, you have to trust the UDI self-signed certificate. The alternative is to use http to access the UI which will then do so without any ssl encryption. Thanks. So no way to install my own certificates, registered to my domain, managed by me, signed by a trusted CA? That just don't sound right. Self signed certs are rejected by the network at work. There's got to be a way to manage your own certs. It's been more than 2 decades since I even managed a Unix box, and in all reality we didn't even think about certs back then. But today, that's a different story.
Javi Posted December 28, 2022 Posted December 28, 2022 I would not recommend opening a port even with a valid cert, not to mention the cost (time/money) of cert management is likely much higher than ISY Portal. The next best method would be to get a router which supports VPN which would allow "remote" connections. Most mid/high end routers already have this functionality. 1
bpwwer Posted December 28, 2022 Posted December 28, 2022 The eisy creates self signed certificates and uses those to both authenticate and encrypt communication between the various software components on the box. Because most users have the box behind a router with no public IP address, it's very difficult to create certificates signed by an authoritative CA. If you tried to install your own certificates in place of the UDI self signed ones, you'd have make sure covered all the components or things would stop working. It's not impossible, but it's not documented nor is it currently supported by UDI. 1
brians Posted December 28, 2022 Posted December 28, 2022 I use haproxy and letsencrypt on my pfsense. My dynamic ip also updates with godaddy automatically with its dynamic dns. I don’t access pg3 this way however since I have no need but I do other things.
GJ Software Products Posted December 28, 2022 Author Posted December 28, 2022 16 hours ago, Javi said: I would not recommend opening a port even with a valid cert, not to mention the cost (time/money) of cert management is likely much higher than ISY Portal. The next best method would be to get a router which supports VPN which would allow "remote" connections. Most mid/high end routers already have this functionality. <lol> I could only wish I had to manage only one cert. Port forward to the eisy was just a quick hack to get me in from the outside. Yea, VPN would be the way to go for me, I've got licenses for but I've never built a VPN on this firewall. And that still don't fix self signed certs. Thanks for your thoughts. -Grant
GJ Software Products Posted December 28, 2022 Author Posted December 28, 2022 16 hours ago, bpwwer said: The eisy creates self signed certificates and uses those to both authenticate and encrypt communication between the various software components on the box. Because most users have the box behind a router with no public IP address, it's very difficult to create certificates signed by an authoritative CA. If you tried to install your own certificates in place of the UDI self signed ones, you'd have make sure covered all the components or things would stop working. It's not impossible, but it's not documented nor is it currently supported by UDI. Thanks for the feedback. Yea, if the certs are encrypting traffic between services inside the box I really don't want to get into that, first off I'd need to know how many certs and what services? Too much to undertake. I'd really only be interested in what it's using for external https but I see you mention certs plural so it could be a PITA to get past self signed certs. I'm probably just spoiled to having full cert management capabilities. And it looks like it's using an EC2 instance on 443 for the Portal and I guess it could be using cert auth like IoT or maybe IAM but that's a cert & CA in itself. Thanks again, -Grant
Recommended Posts