Self-signed certificate for device with local IP

ssl asp.net-core x509certificate tls1.2 pfx
Jaime picture Jaime · Jul 4, 2018 · Viewed 7.1k times · Source

Scenario:

  • We have a device similar to a WiFi router that has UI and API exposed
  • The device will run on any LAN out of our control, just like a WiFi router runs on any house.
  • The device doesn't belong to any domain and is accessed through its IP address (i.e. 192.168.1.100) with a browser.
  • The protocol shall be HTTPS
  • The software used is .net Core/Kestrel on Windows
  • Currently we have warnings in all browsers telling that the device has an invalid certificate.
  • Constraint: The device shall be accessible by any machine (desktop/tablet) and cannot install or configure anything in the client machines.

The question is: What it the best way to remove the warning? We read that there cannot be regular certificates for private/local IPs.

Self-signed certificates seem to work for few days and then the error shows up again.

Local environment

Answer

poke picture poke · Jul 4, 2018

There is no way to issue SSL certificate for an IP address; you have to have an actual name which you create the certificate for. In order to get such a name, you need a DNS. Since you don’t have access to the internal DNS of that local network, you will have to use a public DNS server for this.

This assumes that devices within that network do actually have internet access. If they don’t, then you’re completely out of luck.

If there is internet access, then you can simply make a public (sub-)domain point to your local IP address. Basically, configure the DNS for a domain that you own so that there is an A entry on the domain or one of its subdomains, that points to your local IP address 192.168.1.100.

That way, you can communicate that public domain to others, and when they try to resolve the domain, they will hit the DNS which will give the local IP address. So devices within that network can then get to your device and access it. Since they are accessing it then through that domain, a certificate for that exact domain would be generally accepted.

In theory, this works pretty well. In practice this can be a bit complicated or expensive though. Server certificates expire, so you will have to include the certificate (securely!) inside your device and also provide some means to update it eventually when it would expire. Free certificates, like from letsencrypt, will expire within a few weeks, but money will be able to buy you certificates that expire less quickly.

But in the end, it will still be somewhat painful. But not because of the domain name, but rather because of the certificate – at least if you want a certificate that is automatically trusted. Otherwise, you would be back at the beginning.

Related questions

bypass invalid SSL certificate in .net core

I am working on a project that needs to connect to an https site. Every time I connect, my code throws exception because the certificate of that site comes from untrusted site. Is there a way to bypass certificate check …

Read More
Publishing from Visual Studio 2015 - allow untrusted certificates

I am publishing my ASP.NET 5 MVC6 project from Visual Studio 2015. I have imported publish profile from my server. Connection validates successfully, however when I publish my project I have the following error: ERROR_CERTIFICATE_VALIDATION_FAILED Connected to the …

Read More
The SSL connection could not be established, see inner exception

I have an Integration project, where my RestAPI's call WCF services of other project to do some CRUD operations. My project is built on .net core 2.2.102. I deployed my project in BETA environment(PROD in my case) and pointed to …

Read More