Certificates for embedded systems

thopf · March 24, 2021, 10:56am

We develop embedded systems with webservers for management purposes and therefore we have no domain names. The websites are called via IP addresses. We have no way to the internet but our customers want to have secure communications via HTTPS. Is it possible to use letsencrypt certificates for our servers? In one system we can have lots of these "servers" but because we have no connection to the internet, "one certificate for all" is OK for us. Any solution?
Thanks in advance for help
Thomas

JuergenAuer · March 24, 2021, 11:05am

Hi @thopf

currently not. To create Letsencrypt certificates, public visible, worldwide unique domain names are required.

But ip addresses aren't required. Isn't it possible to use something like FritzBox uses?

Subdomains like

https://random-string.myfritz.net/

with dns validation to create certificates? If you control such a domain, one subdomain per customer with sub-subdomains and one single wildcard?

random-string.myfritz.net + *.random-string.myfritz.net as domain names of the certificate.

thopf · March 24, 2021, 11:35am

Thanks Jürgen,
Fritzbox is a central device in a LAN. We don't have this chance. But the information is useful for us. We will see if we can implement a similar solution.
bye
Thomas

JuergenAuer · March 24, 2021, 11:51am

That's not certificate-creation relevant. If you have a lot of devices, use sub-subdomains of that customer-subdomain.

More important: That device-lan must use such subdomain names, not ip addresses.

Osiris · March 24, 2021, 11:56am

As these devices aren't connected to the internet, I assume they are also not meant to be connected to by the public at large?

Isn't it a better idea to set up your own private CA and distribute its root certificate to the users of those devices?

thopf · March 24, 2021, 2:39pm

Yes, only a few users will have access. Private CA? Good idea. I will ask our programmers.
Thanx

Osiris · March 24, 2021, 2:42pm

It will probably make your life much easier, as to get a Let's Encrypt certificate you'd need to be able to verify a hostname (such as suggested by @JuergenAuer earlier) through public accessible methods and afterwards distribute it to your IoT devices.. And repeat that at least every three months.

With a private CA, you are not required to have your hostname or IP addresses publically accessible (directly through TCP/IP or indirectly through DNS for verification) and you can have a certificate life time significantly longer than the 90 days of Let's Encrypt.

system · April 23, 2021, 2:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate for embedded device without a domain name?	1	3277	October 29, 2015
How can I use Let's Encrypt to make internal certs? Help	5	11493	March 19, 2023
General questions Help	2	1694	August 21, 2017
Using Let's Encrypt in A Shared Environment Service Multiple Customers Help	13	3893	August 26, 2017
How to create a The device supports the DER (ASN1) and PEM certificate formats Help	4	698	April 19, 2019

Certificates for embedded systems

Related topics