We are running the Azure IoT Edge runtime on commodity servers inside a corporate intranet. I understand the Microsoft documentation recommends installing certificates for production IoT edge deployment.
We are using basic edge modules only, no gateway configurations, passthroughs, etc...
For our intranet scenario are self-signed certs suitable for production? If so can a single certificate be used for all devices?
Thanks
Yes, you can use self signed CA certificates. Check here.
Every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it. That CA certificate is then declared to the IoT Edge runtime in the config.yaml file. For development and testing scenarios, the IoT Edge runtime creates temporary certificates if no certificates are declared in the config.yaml file. However, these temporary certificates expire after three months and aren't secure for production scenarios. For production scenarios, you should provide your own device CA certificate, either from a self-signed certificate authority or purchased from a commercial certificate authority.
Regarding using the same CA cert on various Edge devices,logically you should be able to use it as the identity cert is the one that differs for edge devices based on CN name.But I think you can easily check this out by doing the POC.
Here is the link to generate CA cert.
Related
When I made App with Flutter Dart, I had a problem communicating with the server. HTTPS could allow self-signed certificates, but WSS did not find a solution, so I wanted to know how Dart decided that my certificate was self-signed certificate.
When I run the project with SSL I get a warning in the browser, in every browser: firefox, IE, edge, chrome. When I launch the project it doesn't show me the warning dialog and I don't know if I have any certificate installed.
How to check if I have the certificate installed and if not, how to install it?
You probably need to add your certificate to CA Root.
High level plan:
Export SSL certificate from IIS.
Import that SSL certificate into CA Root.
Here is a blog post that explains everything in detail and with screenshots.
If you use Google Chrome, you might need to close and re-open it after installing a new SSL certificate due to browser's caching.
You can use online SSL checker tool to diagnoses issues regarding SSL certificate installation.
You should check that you are using a self-signed certificate or a CA signed certificate. If it’s a self-signed certificate then your users will experience warning message when they browse your site because browsers don't recognize it.
If you have a CA signed certificate, then you received a certificate via email from trusted third-party certificate authority, which contains the root, intermediate and primary certificates. You should install all three files on your server.
You should update your all browser. Modern browsers have already implemented root certificate, so you need to configure only intermediate and primary certificate on the server.
Follow below link which may help you to add CA Root certificate in the Trusted Root Certification Authorities store. https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx
I read this tutorial: http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
He is generating the certificate signing request on his Mac using Keychain Access:
For Production, we are using an Ubuntu Server. Do you have to generate the CSR on the Ubuntu Server directly, or can you use the certificate generated on my Mac?
If you have to generate the CSR on the Ubuntu server, how can this be done?
You can use the CSR generated on the Mac. Once you have the signed certificates (one for development and one for production) from the Apple Developer portal you will need to export them (including the private key) for use on your server, as per your second screen shot.
After iOS 7.1 ,if we want to deploy our Enterprise app over air, the URL for the manifest.plist file has to be HTTPS.
For example:
itms-services://?action=download-manifest&url=https://example.com/manifest.plist
In my server I use a self-signed SSL certificate. When I tap the URL on an iPhone, it says Could not connect to <ip-address> and logs the typical
NSUnderlyingError=0x15d37040 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be `<ip-address>`, which could put your confidential information at risk.
So, I want to know whether I can use the self-signed SSL certificate or not?
If I can, how do I resolve the problem the problem I've encountered?
First have the user install the self-signed SSL certificate on their device. Or use a free verified SSL service.
You will need to have the user install this file https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file
I believe this service provides browser-validated SSL certificates. https://www.startssl.com/?app=1
I'm using the acegi security plugin and I run the app -https. The cert is generated but I get a certificate warning when i visit the web page. I have then download the weak ssl plugin and added weakssl.trustAll =true to Config.groovy. But still getting the same warning. Have I left out anything?
The warning is normal. You can just accept the self-signed certificate. The weakssl module allows the Grails server to trust itself even if it provides a self-signed certificate. It has no effect whatsoever on the client. (Think what a horrible security hole it would be if you could just install some code on the server and get a client to accept a self-signed certificate without a warning!)
To solve your problem you need to either
manually tell your browser the certificate is OK by adding the certificate to your truststore
or
get a certificate from a trusted CA (Certificate Authority) a list of trusted CAs is stored in your browser. To get a certififate from a CA you need to proof your identity and pay (a lot) some money.
so I recommend you just accept the untrusted certifcate unless you want to buy a CA certificate.
The config you changed tells only the server to accept all certificates. i.e. if your server is connecting to another server