Thomas Taranowski wrote:
*[safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.]*
I think this question may be more general than OpenSSL, and will
expose my SSL n00biness, but I'm not sure where to turn.
I'm working on integrating the use of openssl on an embedded target
which I have widely distributed in the field. The issue I have is
that each target is nestled within someone elses private network, and
I have no control over the IP address, nor domain name assignment, yet
I still want to be able to setup secure web communications between the
target and client. What I want is to use a single certificate request
file, and have a single private key for each of my deployed servers,
each of which will have a different domain name and IP address.
From what I understand, using the same certificate and server private
key is not possible, so I have to generate and get signed a
certificate for each and every one of the thousand units I have
deployed. To compound the difficulty, since these are small embedded
targets, the certificate and key needs to be compiled into the target
code at build time, so I have to make 1000 different builds, one for
each target. This just seems wrong.
Can someone help me get my learn on?
Thomas Taranowski
Certified netburner consultant
baringforge.com <http://baringforge.com>
Hi Thomas,
You do not have to compile anything unique if you have some reliable
persistence storage and a unique id for each device, that is unique to
the device and not derived from its location. If these requirements are
satisfied then a solution to this problem, as stated, is to have a
certificate authority ready to sign certificate requests. Each device
could have a canned library to pick up the unique identifier, add any
other relevant information which may be derived from its location, and
use this to create a certificate request to submit to the certificate
authority to sign. The certificate authority can be one specified
location that is independent from the location of the devices. The
signed certificate can then stored locally and used for later SSL
communications for the lifetime of the certificate.
Some issues to be aware of:
1. Secure storage, I assume that you want authentication of the device
to prove it is that device.
2. Certificate revocation lists. Ask yourself if you want to be able to
mark some certificates as invalid in the future?
3. Uptime of and access to the certificate authority.
4. Are you concerned about some devices impersonating others? How
important is authentication in your scheme? From your comments about
reusing a certificate and private key, it seems like this is not
important to you.
Lastly, is it SSL you want, or something like Kerberos or IPsec? What
are your requirements? SSL or the others I mentioned may be too heavy
duty or too high level for your application.
Regards,
Jeremy
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
