I’ve just released a new blog post and project, a way to get valid TLS certificates automatically onto off the shelf hardware to prevent the problem of running their admin interfaces over HTTP or using self-signed certificates.
The concept is fairly simple, a new bit of off the shelf kit is plugged in at home or in the office, it boots, calls out to its HQ which generates a DNS entry for it, creates a certificate through Lets Encrypt, and then sends it all back to the box. The box can then start up its admin web server, running over HTTPS, and not have the problem of trying to explain to users why they have to accept a security warning caused by a self-signed certificate.
The blog post describing the process is here:
And proof of concept code is here:
I’d like to hear feedback, especially if anyone decides to use the process in one of their systems.