Jump to content

SSL/TLS Certificates for/on eisy


Recommended Posts

I see talk of (and had to) accept the self-signed certificate for PG3 on eisy.  “Dashboard“ is no longer an option from IoX Finder for my eisy.  How can I install my own CA Certificate or a Cert signed by recognized CA on my new eisy?  Somewhat like you do with AWS IoT.  Or maybe you have to use a recognized CA?  Are their any CAs already installed in eisy/PG3?

How do you manage certificates on the eisy?

Thanks.

Link to comment

The eisy is supposed to manage all of the certificates it needs internally. 

If you want the UI to access PG3 with https, you have to trust the UDI self-signed certificate.    The alternative is to use http to access the UI which will then do so without any ssl encryption. 

Link to comment
17 minutes ago, bpwwer said:

The eisy is supposed to manage all of the certificates it needs internally. 

If you want the UI to access PG3 with https, you have to trust the UDI self-signed certificate.    The alternative is to use http to access the UI which will then do so without any ssl encryption. 

Thanks.  So no way to install my own certificates, registered to my domain, managed by me, signed by a trusted CA?  That just don't sound right.  Self signed certs are rejected by the network at work.  There's got to be a way to manage your own certs.  It's been more than 2 decades since I even managed a Unix box, and in all reality we didn't even think about certs back then.  But today, that's a different story.

Link to comment

I would not recommend opening a port even with a valid cert, not to mention the cost (time/money) of cert management is likely much higher than ISY Portal.  The next best method would be to get a router which supports VPN which would allow "remote" connections.  Most mid/high end routers already have this functionality. 

  • Like 1
Link to comment

The eisy creates self signed certificates and uses those to both authenticate and encrypt communication between the various software components on the box.    Because most users have the box behind a router with no public IP address, it's very difficult to create certificates signed by an authoritative CA.   If you tried to install your own certificates in place of the UDI self signed ones, you'd have make sure covered all the components or things would stop working.  It's not impossible, but it's not documented nor is it currently supported by UDI.

 

 

  • Like 1
Link to comment
16 hours ago, Javi said:

I would not recommend opening a port even with a valid cert, not to mention the cost (time/money) of cert management is likely much higher than ISY Portal.  The next best method would be to get a router which supports VPN which would allow "remote" connections.  Most mid/high end routers already have this functionality. 

<lol>  I could only wish I had to manage only one cert.  Port forward to the eisy was just a quick hack to get me in from the outside.  Yea, VPN would be the way to go for me, I've got licenses for but I've never built a VPN on this firewall.  And that still don't fix self signed certs.  Thanks for your thoughts.     -Grant

Link to comment
16 hours ago, bpwwer said:

The eisy creates self signed certificates and uses those to both authenticate and encrypt communication between the various software components on the box.    Because most users have the box behind a router with no public IP address, it's very difficult to create certificates signed by an authoritative CA.   If you tried to install your own certificates in place of the UDI self signed ones, you'd have make sure covered all the components or things would stop working.  It's not impossible, but it's not documented nor is it currently supported by UDI.

 

 

Thanks for the feedback.  Yea, if the certs are encrypting traffic between services inside the box I really don't want to get into that, first off I'd need to know how many certs and what services?  Too much to undertake.  I'd really only be interested in what it's using for external https but I see you mention certs plural so it could be a PITA to get past self signed certs.  I'm probably just spoiled to having full cert management capabilities.  And it looks like it's using an EC2 instance on 443 for the Portal and I guess it could be using cert auth like IoT or maybe IAM but that's a cert & CA in itself.   Thanks again,     -Grant

Link to comment
Guest
This topic is now closed to further replies.

×
×
  • Create New...