I am building a stand-alone system - not connected to the general internet - consisting of a web server, WiFi network and standard Android tablet. The web server needs to support https because I need to read the tablet’s GPS coordinates (using html 5), which are nowadays only available to a secure website.
Let’s Encrypt certificates would be ideal, except that it will not be possible to automatically renew certificates to to no internet connection. The system will be deployed in the field where I will have no access to it.
One alternative are self-signed certificates, but these generate warnings on the tablet that cannot easily be suppressed (It is possible, but the procedure is complicated and may require root access).
What I would really like to use in this situation is a certificate with a very long duration, say more than 10 years.
Is there any chance that such certificates will become available in the near future?
Are there any alternative solutions for this use case?
I don't think so. The CA/Browser Forum has recently decided that the maximum lifetime of any certificate will be limited to 27 months from March 2018 on. Until then, the limit is 39 months.
don't forget in 10 years time it's highly likely that protocols will have surpassed your certificate (e.g depracation of SHA1 certificates) so you should focus on a system that can have up gradable certificates
tablet’s GPS coordinates (using html 5), which are nowadays only available to a secure website.
do you have any technical evidence to back this claim?
Instead of using wifi and HTML think about sending the data in a raw socket to the tablet device
The tablet device can then render. I.e. instead of returning HTML return JSON and create a native app on your tablet that reads the JSON and displays it on screen.
It sounds like e this is a system completely for your use. As such, you could create your own CA (there are dozens of tutorials for this online), install that root certificate in the trusted stores on all your devices (this does not require root) and issue your own signed certificates for any duration you desire, without security warnings.
It doesn’t sound like Let’s Encrypt (or any public CA for that matter) are the right fit for your use case.
I understand that secure protocols today will probably no longer be secure 10 years from now. This is however not my first concern right now. The system will be stand-alone, not connected to the general internet, so security is less of an issue. Upgrading a certificate, however, will require a customer to physically turn in the device, or will require a technician visiting the customer site. This is not something we want to do every 90 days.
The reason for using WiFi and HTML is that it allows us to use a standard tablet off-the-shelf, without any custom software, or even an ordinary smartphone or tablet, as long as it is connected to the system’s WiFi. This is an attractive feature for my customer, and I don’t want to drop it. It also eliminates support time for me, as I don’t need to help not-so-computer-savvy users with installation issues: the application will (or should) work with a standard browser on an off-the-shelve device. Also, I would prefer not to create and maintain a native app for all the different OSes around (Android, iOS, Windows, Linux, …).
Interesting remark. Is the maximum lifetime of certificates something that will be enforced by browsers? Right now, I can easily generate a self-signed certificate of any duration: I just tried 100 years (using openssl), it works and is accepted by browsers (I tried recent versions of chrome and firefox).
For certificates on the general internet, where updates are easy, a maximum lifetime of 39 or 27 months makes sense. I my use case, it makes much less sense.
From what I gathered in a quick search, you are right: it should be possible (but not necessarily simple) to install my own CA as a user CA without root privileges. A user CA is not exactly the same as a system CA: for example, it requires a password for the screen lock, but okay, it comes close.
Still, I would strongly prefer to be able to use a standard tablet without special installation instructions. The installation of the root CA would be something my customers would have to do, not necessarily something I can do for them beforehand. The tutorials I could find don't seem to be very simple, for example requiring a file to be copied to the root of the file system on the tablet without explaining how to do that.
A reference to a clear and simple tutorial would be very welcome.
Although the long-lived certificate would be convenient for you, it’s hard to imagine how we’d have confidence that in ten years you’ll control the name on the certificate. That’s more than enough time to sell a business, the business go bust, a new business come into existence with the same name, buy the now dormant name, set up their own services and yet that ten year cert is still valid!
Even if a human never visits them, autonomous devices can be connected to the Internet by a variety of means. Cellular telephone networks, radio, even satellite can be viable when you will use the Internet service very sparingly, perhaps moving only a few kilobytes per month. This might be affordable. Such a connection could be used for some central service to deliver the appliance new certificates, updated firmware and so on, I would be surprised if your plan works ten years without needing any such updates regardless of certificates. I know there is a black box in my home as part of a long running experiment by a local university, it is wired into my home network, but they said even if it wasn’t it would just use a mobile phone network and they’d be billed for the little bandwidth it uses.
A truly extreme option would be to seek an arrangement with a CA where they issue you a name constrained subCA. This makes you the authority for certain names, and could last ten years. Your subCA could baked into the appliances and would then issue the new certificates every couple of years to make your service work with common browsers. But I say this is extreme because in contrast to Let’s Encrypt being free, this would be very expensive, and instead of a technician now your appliances might need to be visited by third party auditors on behalf of the CA you got this from!
You are right; thanks for the insight. I did not realise that a ten year certificate is not possible, because LetsEncrypt (or another CA) cannot know that the name will only be used on a stand-alone system (and cannot know that I will control the name in ten years time).
I guess that leaves me with three remaining options, barring the extreme option of making an arrangement with a CA authority.
Add a (possibly narrow-band and intermittent) internet connection to the system
Install my own CA on each tablet or other device accessing the system
Use a self-signed certificate and ignore the resulting warnings
For option 1, it would still be useful to have 27 month certificates; I might be able to find a way to let users connect the system to the internet every one or two years, but not every three months.
Option 2 seems best on condition that I can find a good tutorial on how to do this. Suggestions are still welcome.
Android has the limitation that a passcode has to be set to install additional certificates, unless the device is rooted. If you’re fine with that, it’s very simple to deploy certificates to Android as well, via web, email, or SD card. There are even little services that’ll help you avoid some of the manual work, like http://www.realmb.com/droidCert/
Or you can buy an enterprise cross-platform MDM solution to quickly create and manage profiles across lots of devices. There used to be some free MDMs, like Meraki’s SM, but those seem to be gone now.
If users can figure out how to find your device’s IP address on the network to address it in a web browser, they probably can figure out how to bypass the certificate warning or install your certificate too.
If your target audience is non-technical users, you probably want to make an app anyway, at the very least to find the device with DNS-SD on their network. Then you’ll be able to pin your private certificate authority for HTTPS communication, and you can still use a web view to implement the UI if you want.
If longer times between certificate renewals are a big help getting in now would allow you to buy a cert for 3 years before the rules change to limit to 825 days in April 2018. An understanding sales person might do 39 months which is the absolute limit today, but the cheap discounters don’t want to waste money letting you talk to a sales person, so three years is probably the best cheap deal you’ll find.
“Free” probably isn’t on the menu for that length of time, I’m sure you understand that even if they’re sympathetic to your particular situation Let’s Encrypt don’t want to start making special exceptions or it’d never end.
