Jump to content

SSL Certificate uneducated


intellihome

Recommended Posts

Posted

I have neglected to setup a SSL certificate because I use my ISY remotely on a daily basis and procrastinate because I do not want to be "locked out" if I do something wrong while setting it up.

 

I am pretty naive when it comes to the SSL certificate. I've read several topics on the subject from both the internet and our Forum but for some reason I can't seem to grasp the concept enough to fully understand what is happening.

 

I do understand the general idea of what's taking place, so I decided to give it a shot and selected "request and manage SSL certificates". Generate and install a new self signed certificate. I stopped here.

 

1. It seems easy enough, I just type in my WAN IP and Save?

2. Then what?

3. What do I do from a remote browser?

4. I also access from my phone (Droid).

 

Sorry, it's probably as simple as it seems but like I mentioned I don't want to be without access.

Posted
I have neglected to setup a SSL certificate because I use my ISY remotely on a daily basis and procrastinate because I do not want to be "locked out" if I do something wrong while setting it up.

Since you're currently accessing remotely, this implies your router is successfully set up to forward WAN traffic to your ISY. Do you currently use http (port 80) or https (port 443, SSL using default generic certificate) for that remote access? If you're using https, then you're almost there already. Generating a self-signed certificate simply replaces the existing generic one, using your specific address information.

 

If you're using http, the first thing to check is that port 443 is forwarded through your router to the ISY's port 443, which is required for SSL access. (This is independent of port 80, which you can close on your router once you verify https access is working.)

 

I decided to give it a shot and selected "request and manage SSL certificates". Generate and install a new self signed certificate. I stopped here.

 

1. It seems easy enough, I just type in my WAN IP and Save?

Yes, you specify the same IP address or hostname you use in your remote browser to access the ISY. For example, if you access remotely via http://1.2.3.4/admin, then enter 1.2.3.4 when generating the certificate. Similarly for a hostname.

 

Note there are ways to use a hostname with dynamic IP addresses, using sites such as dyndns.org. This allows remote access even when your WAN IP address changes.

 

2. Then what?

The ISY setup is done. I would try the "remote" access while you're still at home setting things up. Simply access the ISY from your home browser using the WAN address you use remotely. One caveat: your router must support "loopback" access for this to work. The exact wording of this option depends on the router, but it might be called "NAT Loopback" or similar function.

 

3. What do I do from a remote browser?

Access remotely as before, using https instead of http. The browser will warn you that the site's certificate is not trusted because it is self signed, and give you a way to save the exception permanently. Once you do this, the browser won't warn you again. No access differences after that.

 

4. I also access from my phone (Droid).

Should work the same way, although someone else with Droid experience may have something to add.

 

--Mark

Posted

Thanks Mark!

 

I am currently using port 443 and I access with https.

 

"For example, if you access remotely via http://1.2.3.4/admin, then enter 1.2.3.4 when generating the certificate. Similarly for a hostname."

 

So do I type I type the whole address as in your example... https://1.2.3.4/admin or just the 1.2.3.4? (of course subsituting 1.2.3.4 with my address).

 

"Access remotely as before, using https instead of http. The browser will warn you that the site's certificate is not trusted because it is self signed, and give you a way to save the exception permanently. Once you do this, the browser won't warn you again. No access differences after that."

 

So, what I don't understand about this SSL stuff, is when I access my ISY remotely, I am a stranger to the ISY and my browser will warn me that it's not trusted but give me a way to save the exception permanetly. So why can't anybody do this? and always have access? What am I missing?

 

Thanks again! I'll get it it eventually :)

Posted
Thanks Mark!

 

I am currently using port 443 and I access with https.

 

"For example, if you access remotely via http://1.2.3.4/admin, then enter 1.2.3.4 when generating the certificate. Similarly for a hostname."

 

So do I type I type the whole address as in your example... https://1.2.3.4/admin or just the 1.2.3.4? (of course subsituting 1.2.3.4 with my address).

 

Use just the 1.2.3.4

 

"Access remotely as before, using https instead of http. The browser will warn you that the site's certificate is not trusted because it is self signed, and give you a way to save the exception permanently. Once you do this, the browser won't warn you again. No access differences after that."

 

So, what I don't understand about this SSL stuff, is when I access my ISY remotely, I am a stranger to the ISY and my browser will warn me that it's not trusted but give me a way to save the exception permanetly. So why can't anybody do this? and always have access? What am I missing?

 

They still need the username/password. That data is encrypted when you use the SSL certificate and only the ISY can decrypt it. So no one can sniff the data.

 

A public key is used to encrypt the data but only the private key can decrypt it.

 

Thanks again! I'll get it it eventually :)
Posted

ah ha , thats what I keep confusing myself with...the SSL security is not for login security it's for encrypting the data that is moving between the ISY and the browser I'm using.

 

1. To further help me understand...what is so critical about the information being passed along from the isy and a browser? I guess the user ID and password would be vulnerable but other then that? there is no personal data on the ISY. or is there?

 

As far as I know I completed the step to request and install a self signed certificate by typing in my WAN and checking the save box and hitting OK. Nothing seemed to happen? No errors, no "completed" message or anything like that. So I closed the console and reopened and still get the Security Warning that "ISY is currently configured with the default SSL certificate".

 

BTW I requested the self signed certificate from a remote browser (work computer). This is where I currently am.

Posted
ah ha , thats what I keep confusing myself with...the SSL security is not for login security it's for encrypting the data that is moving between the ISY and the browser I'm using.

For most situations that you'll encounter (including the ISY), this is exactly the case: the server's SSL certificate enables private (non-snoopable) communication between arbitrary clients and the server. It also allows the client to verify the identity of the server (very useful, for example, when talking to your bank's server). It does not enable the server to verify the identity of the client, which is why login passwords are still required.

 

The SSL framework does allow client authentication (with signed client certificates), but it requires more administration in the client and is used mainly in enterprise environments.

 

1. To further help me understand...what is so critical about the information being passed along from the isy and a browser? I guess the user ID and password would be vulnerable but other then that? there is no personal data on the ISY. or is there?

I would consider the user ID/password to be critical information. If disclosed, it would allow anyone to connect to your ISY and have their will with your lights. Probably not as sensitive as bank or credit card info, but personally I don't want my ISY vulnerable and this is reason enough to use https connections.

 

As far as I know I completed the step to request and install a self signed certificate by typing in my WAN and checking the save box and hitting OK. Nothing seemed to happen? No errors, no "completed" message or anything like that. So I closed the console and reopened and still get the Security Warning that "ISY is currently configured with the default SSL certificate".

 

BTW I requested the self signed certificate from a remote browser (work computer). This is where I currently am.

The UDI crew will have to answer this. But I seem to remember seeing warnings somewhere that SSL management in the ISY must be performed locally for security reasons. One would think an error would be displayed if this was the case and you tried it remotely.

 

--Mark

Posted

Thanks Mark!

 

I'll be leaving work soon and I'll give it a try from home.

 

Will requesting a a self signed certificate a second time cause a problem? What happens to the first one? I figured I'd screw this up one way or another :)

 

Thanks again!

Posted
Will requesting a a self signed certificate a second time cause a problem? What happens to the first one? I figured I'd screw this up one way or another :)

Each time you generate a new certificate, it simply replaces the previous one. The remote browser will warn you again since it is a new certificate, but otherwise there is no problem there either.

 

--Mark

Posted

Hello intellihome,

 

Yes, you must be local to the ISY. The Certificate Manager program will search your network for the ISY and you will be asked to login. You may have to wait a minute for the login prompt.

 

You do not have to save the certificate, it is automatically downloaded to the ISY. A new certificate overwrites the existing certificate.

 

Make a Backup of your ISY before you begin. Restoring the backup will restore the old certificate.

 

Rand

 

Thanks Mark!

 

I'll be leaving work soon and I'll give it a try from home.

 

Will requesting a a self signed certificate a second time cause a problem? What happens to the first one? I figured I'd screw this up one way or another :)

 

Thanks again!

Posted

Thank you guys. I really appreciate you walking me through this.

 

1. I did a backup

2. created the new certificate (from home), this time it saved a copy to my computer "UD.DCF" and rebooted the ISY.

 

:D

Guest
This topic is now closed to further replies.

×
×
  • Create New...