Certificates for embedded systems

We develop embedded systems with webservers for management purposes and therefore we have no domain names. The websites are called via IP addresses. We have no way to the internet but our customers want to have secure communications via HTTPS. Is it possible to use letsencrypt certificates for our servers? In one system we can have lots of these "servers" but because we have no connection to the internet, "one certificate for all" is OK for us. Any solution?
Thanks in advance for help
Thomas

Hi @thopf

currently not. To create Letsencrypt certificates, public visible, worldwide unique domain names are required.

But ip addresses aren't required. Isn't it possible to use something like FritzBox uses?

Subdomains like

https://random-string.myfritz.net/

with dns validation to create certificates? If you control such a domain, one subdomain per customer with sub-subdomains and one single wildcard?

random-string.myfritz.net + *.random-string.myfritz.net as domain names of the certificate.

Thanks Jürgen,
Fritzbox is a central device in a LAN. We don't have this chance. But the information is useful for us. We will see if we can implement a similar solution.
bye
Thomas

1 Like

That's not certificate-creation relevant. If you have a lot of devices, use sub-subdomains of that customer-subdomain.

More important: That device-lan must use such subdomain names, not ip addresses.

As these devices aren't connected to the internet, I assume they are also not meant to be connected to by the public at large?

Isn't it a better idea to set up your own private CA and distribute its root certificate to the users of those devices?

1 Like

Yes, only a few users will have access. Private CA? Good idea. I will ask our programmers.
Thanx

It will probably make your life much easier, as to get a Let's Encrypt certificate you'd need to be able to verify a hostname (such as suggested by @JuergenAuer earlier) through public accessible methods and afterwards distribute it to your IoT devices.. And repeat that at least every three months.

With a private CA, you are not required to have your hostname or IP addresses publically accessible (directly through TCP/IP or indirectly through DNS for verification) and you can have a certificate life time significantly longer than the 90 days of Let's Encrypt.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.