Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Basically, no, you can't do this the way you hope to.</p> <p>You aren't an intermediate SSL authority, and you can't afford to become one. Even if you were, there's no way in hell you'd be allowed to distribute to consumers everything necessary to create new valid certificates for any domain, trusted by default in all browsers. If this were possible, the entire system would come tumbling down (not that it doesn't already have problems).</p> <p>You can't generally get the public authorities to sign certificates issued to IP addresses, though there's nothing technically preventing it.</p> <p>Keep in mind that if you're really distributing the private keys in anything but tamper-proof secured crypto modules, your devices aren't really secured by SSL. Anyone who has one of the devices can pull the private key (especially if it's passwordless) and do valid, signed, MITM attacks on all your devices. You discourage casual eavesdropping, but that's about it.</p> <p>Your best option is probably to get and sign certificates for a valid internet subdomain, and then get the device to answer for that subdomain. If it's a network device in the outgoing path, you can probably do some routing magic to make it answer for the domain, similarly to how many walled-garden systems work. You could have something like "system432397652.example.com" for each system, and then generate a key for each box that corresponds to that subdomain. Have direct IP access redirect to the domain, and either have the box intercept the request, or do some DNS trickery on the internet so that the domain resolves to the correct internal IP for each client. Use a single-purpose host domain for that, don't share with your other business websites.</p> <p>Paying more for certificates doesn't really make them any more or less legit. By the time a company has become a root CA, it's far from a fly-by-night operation. You should check and see if <a href="http://www.startssl.com/" rel="noreferrer">StartSSL</a> is right for your needs, since they don't charge on a per-certificate basis.</p>
    singulars
    1. This table or related slice is empty.
    1. POAdvanced SSL: Intermediate Certificate Authority and deploying embedded boxes
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USPaul McMillan
    1. USPaul McMillan
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POAdvanced SSL: Intermediate Certificate Authority and deploying embedded boxes
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COOn the matter of 'Only as secure as the physical hardware', I will concede that I agree and understand that aspect. The desire for the unique keys is to avoid the scenario where it's a single valid cert/key deployed on every box (resulting in the host mismatch problem) since once you get the private off one box you can decrypt every box. With regards to intermediate cert costs - I somewhat guessed that would be the case. I wish the EFF would start a not-for-profit CA.
      singulars
      1. PO
      1. USsynthesizerpatel
    2. COIf you're looking for a low-cost-per-cert CA, you want StartSSL (I thought you were making a dig at 'em earlier with the "fast eddie's..." stuff, so I didn't mention them). Their model verifies you, and then lets you issue as many certs as you need. Your use case is probably borderline for their terms, but I think it's on the ok side of the line. Is the custom subdomain model likely to work for your use case?
      singulars
      1. PO
      1. USPaul McMillan
    3. COThis is dead on. Because there isn't a tech soluion, you are going to have to handle it in sales or support. Someone needs to tell the customer what the ssl options are in such a way that they are encouraged to get a non-self signed cert. Heck, I'm sure you could partner with someone to offer it in app and take a piece of the sale as a referall.
      singulars
      1. PO
      1. USNotMe
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload