I'll describe our situation... We are going to have a PWA app which will be served from AWS with it's own subdomain of a company I am contracted for (I would post the domain but they haven't chosen the subdomain for us yet). This UI will be secured with AWS' CA, this PWA will be connected directly to a RaspberryPi wirelessly on a piece of farm equipment. The Pi will be hosting an expressJs server that will be controlling pieces of the farm equipment. (It's really just a hardware bridge). The problem is that PWA's require secure connections and everything is going to be offline while the equipment is in operation and we need the Pi to have it's own (valid) certs so it can be connected to.
In the future the number of Pi's will grow so I assume we will need many certs. How can we assign domains to these Pis that we can issue valid certificates too? These Pis could be connected to the internet once before deployment, but post deployment ideally they wouldn't need to be reconnected and we could just update them from our PWA/manual memory updates.
Any help would be appreciated, this is a real head scratcher for me.
The PWA is connected to the PI's wireless network. Currently we are connecting directly to the PI's IP address with a self signed cert. I do think the PI's should have a publicly trusted cert as we won't have control over the hardware connecting to the PI, only the software. We don't want to make security exclusions for the IP or allowing the self signed certs.
You don't need to use self signed certificates, but you can run your own private CA on which you issue the certificates.
Pis can have publicly trusted certificates via Let's Encrypt, but you should really not use dns validation (hardware is in untrusted hands, I understand) and you can only use http/tls validation if the pis are publicly reachable from the internet (not always, just during validation)
Yeah we're aware of making our own private CA but then we'll still have the manual step of getting the tablet/smartphone to trust that root cert. Ideally there are no manually interventions like that...Maybe it's not possible to have all of the cake with none of the calories but that's why I was hoping some experts here might have some clever ideas we hadn't thought of.
If the Pi's are totally offline and won't have access to the internet to renew a Let's Encrypt certificate, then any previously issued cert on the Pi will expire 90 days after issuance.. And without any means of renewing it (because it's offline), then I don't see any way how this is going to work using Let's Encrypt.
All the benefits of the Internet while being completely disconnected from the Internet.
I really don't see how that is going to be possible [beyond the first 90 days].
We can reconnect them for maintenance if necessary, the main point is that during operation the whole system is expected to be offline in the middle of nowhere.
The tablet/smartphone will connect to the PI's wireless network. The PI is hosting a server that will handle the hardware connections that the PWA will connect to. The issue is the PWA only wants HTTPS connections.
One of the other options we have which has it's own large series of headaches is hosting the PWA from the PI, that eliminates the trust issue but then we have more maintenance problems.