5

I currently am in charge of networked linux based hardware that exposes HTTP connections. I want to be able to connect to these through HTTPS, but the hardware deployment has 1000's of installations. I've read about problems with self-signed certificates and am unsure how to proceeed. Furthermore, some of these may or may not be on private LANs, so I can't guarantee that there is Internet connection, but I would like to encrypt the traffic because it might be exposed to the Internet depending on the deployment type.

I've had thoughts about possibly forwarding HTTP traffic over a SSL socket with a shared key, and proxying all of this traffic to a main proxy connection, but I'm unsure if this is actually the way to go.

Thanks

d219
  • 140
  • 9
Bradford Medeiros
  • 201
  • 1
  • 6

1 Answers1

4

Wildcard certificates come to mind, supposing that your thousand different sites correspond to the sub-domains of a single domain. This will work for both public websites and websites which are available only through LAN.

If this is not the case, i.e. if you are really using thousand different domains, then you can think of automating the generation of the certificates. If you're using (or willing to use) Let's Encrypt, the procedure is automated any way, so the number of domains won't make any difference in terms of the time you'll spend. Make sure, however, to check the quotas; trying to register a thousand domains at once will probably exceed the allowed limits.

Let's Encrypt won't let you create a certificate for a website which is not accessible from internet (or at least not accessible from Let's Encrypt servers). For those websites, I'd go with self-signed certificates. The reason you can't use self-signed certificates for public websites is that they won't be recognized by the browsers—in order to access such website, the visitor will have to accept a self-signed certificate, which is a practice which should be discouraged at all costs among non-technical users. Since you're dealing with LAN, you can probably deploy the self-signed CA to the client machines, meaning that there will be no warnings here.

Obviously, handling self-signed certificates (and properly securing private keys) requires expertise; but so do certificates which use Let's Encrypt.

I've had thoughts about possibly forwarding http traffic over a ssl socket with a shared key, and proxying all of this traffic to a main proxy connection, but I'm unsure if this is actually the way to go.

I suppose you're talking about a reverse proxy which will have to decrypt TLS traffic. This is indeed an approach which is used a lot, however, it assumes that you need to encrypt the traffic between the reverse proxy and the end user, but the traffic between the reverse proxy and the backend is completely safe. This is not always the case (what makes you think that nobody found a way to one of thousands of your servers?), and specific industries (such as banking) may have specific laws or policies which make it mandatory to encrypt traffic even inside LAN.

Arseni Mourzenko
  • 134,780
  • 31
  • 343
  • 513
  • 1
    The fact they may not have internet access removed the ability to use Lets Encrypt as the automated process requires hitting the server the cert is being generated for. Creating their own CA and protecting it is the most straight forward and easiest way. As they aren’t public a CA from a known authority isn’t needed. – Andrew T Finnell Apr 01 '18 at 20:15
  • 1
    It's possible to have a design similar to a NAT topology. Each server can have a reverse proxy configured with a self-signed certificate, and then a load balancer or gateway server can be configured to trust the self-generated root certificate, expose its own publicly trusted certificate, and proxy public connections to those servers. – Hosam Aly Apr 02 '18 at 19:55
  • `Let's Encrypt won't let you create a certificate for a website which is not accessible from internet` that is not entirely true since the ACME DNS challenge can be used for domains where the site itself is not reachable from the Let's Encrypt servers. – VaaChar Apr 12 '18 at 13:41