We need to protect the authentication process to devices we produce. Since these devices are installed in the customer (typically a non professional) network, we can't get a regular tls certificate from a CA. Is there a way to get a trusted certificate in such an environment?
Asked
Active
Viewed 396 times
2 Answers
0
Given that the device will not usually have a public domain name you cannot get a certificate from a public CA for it. And, even if it has a public domain name it is usually in control of the customer and not you so you cannot get a public certificate for it either.
The common approach is to create a unique self-signed certificate for each device and expect the user to add an certificate exception. Additionally a way for the customer to upload his own certificate should be provided so that the customer can integrate the device better into his own infrastructure.
Steffen Ullrich
- 13,227
- 27
- 39
0
It depends on whether you need to assume all responsibility for the security or you allow the customer to do this.
If you need to take responsibility, you can go down the path of private intermediate and root CA. There are two options - create your own or use a vendor such as DigiCert. I would recommend the latter even though there are upfront and maintanence costs.
sdbol
- 111
- 2