Sensor device web interface certificate
I have sensor devices with a configuration web interface. Each device has a unique serial number. The devices are deployed in various environments with private IP addresses such as 192.168.x.y or 10.x.y.z. Between different environments, these IP addresses will often overlap: environment A with a sensor with IP 192.168.100.200 and environment B with a sensor with the same IP address. The devices will be accessed through a plain Windows laptop by technicians needing to access hundreds of these devices across different environments. The sensor devices and laptops operate without Internet access. There is a private CA that can be installed as trusted by every browser used to access the configuration web interface.
I would like users accessing the configuration web interface to have as much security as practically possible and as few security warnings as possible.
I can have the sensor devices generate a key pair and a CSR based on the device's unique serial number at the moment of manufacturing, and get it signed by the private CA. This would allow both the identification of the device (serial number) and validation (signed by trusted private CA). However, since the devices usually don't have a hostname and don't know the IP address they will end up with at the moment they generate the CSR, how can the CSR be created in such a way that a browser shows this as 'OK'?
The best I've been able to come up with is to create the CSR for "mysensordevice-serialnumber.private.something" and adapt the DNS host file of the laptops accessing the device, setting a DNS entry "mysensordevice-serialnumber.private.something" to point to the IP address the sensor device ends up with. However, this moves the problem from the CSR to the DNS host file: each device would need to be added to every technician's laptop after it's known which IP address it ends up with (which is usually only when the technician is accessing the device).
I have read a lot of questions and answers about this on this stack exchange and it seems the best reasonable solution is just to accept the device will not have a TLS connection the browser can fully mark as secure? Thoughts?
morde last edited by
You can use CMP (https://en.m.wikipedia.org/wiki/Certificate_Management_Protocol) i.e., certificate management protocol. It is a protocol for obtaining the x509 certificate in PKI (Public Key Infrastructure). It requires CA (Certificate authority), RA ( Registration Authority) and end clients (CMP clients)
So, your client i.e., sensor devices will act as a CMP client and after they are provisioned with IP address you can initiate a request to RA for certificate issuance with IP address as CN. RA will process the request and send to CA for issuing the certificate and provide the certificate to CMP clients (your devices).
But the only catch is that you need one RA (registration authority) which can connect to Private CA and act as a mediate between private CA and end clients i.e., sensor devices.
As you said there is no network connectivity for sensor devices you can setup RA locally on that environment with connectivity to CA. So, your end client will only connect with RA whereas RA will be the only server which will connect to Private CA. You can bring RA up and down as per requirements whenever you require the certificate re-issuance. RA is just acting like a person who will take CSR to CA and request signing. The only difference is it is managed automatically by RA.