Definitions
- NB: NetBurner Device
- CA: Certificate Authority
- CN: Common Name and/or Subject Alternative Name
Naming Options
- mDNS (.local)
- IPv4 or IPv6
- DNS name
Types of Certificate Issuers
Self Signed Certificate
The certificate is auto-generated by a NetBurner device and is its own CA.
Pros
- Simple solution for a single NetBurner device accessed by one or two computers.
- To avoid a browser warning message the certificate must be downloaded from the NetBurner device and installed in all computers and/or browsers that accesses the device.
- When a certificate expires, a new certificate will be automatically generated.
Cons
- Multiple NetBurner devices and/or Computers: Each have their own unique certificate, and each device's certificate must be downloaded and installed into each computer that needs access.
- Note
- When a certificate expires or the IP address/name changes, the new certificate must be downloaded from the NetBurner device and installed in the computer and/or browser.
-
If the name.local feature can be used (eg MyDevice.local), the certificate loaded in the computer/browser will still be value (no need to upload a new one). In order to use local names, the auto-generation must be configured to use local names.
Private Certificate Authority Signed Certificate
A Certificate Authority (CA) certificate is generated on an external computer, which in turn is used to sign a device certificate that is later uploaded to a NetBurner device.
Pros
- The same CA certificate can be loaded on all computers and used to access all the NetBurner devices without a browser warning.
Cons
- The application must have the ability to receive and store a device certificate. There are examples of this, just not as simple as an auto-generated certificate.
- Note
- When a device certificate expires, a new device certificate must be generated and uploaded to the device. However, the CA certificate does not need to be reloaded into the computer and/or browser.
Outside Certificate Authority Signed Certificate
Similar to the Private Certificate method. In this case the CA certificate is from a known company and pre-loaded into the computer and/or web browser. The procedure is more complicated. A certificate request must be generated, sent to the CA, and the CA will in turn send back a device certificate signed by their CA certificate. The device certificate must then be uploaded to the NetBurner device.
Pros
- Computers and/or browsers will already have the CA certificate installed.
Cons
- Each time a device certificate expires, a new certificate must be requested from the outside CA and uploaded to the NetBurner device.
- There may be fees involved to purchase a device certificate.
ACME Client
Automated Certificate Management Environment (ACME) is a protocol that makes it possible to automate the issuance and renewal of certificates by a thrid party CA. It is essentially an automated version of method number 3. A key is generated on the NetBurner device, which is used to obtain a device certificate from an ACME compliant server CA. NetBurner devices currently support Let's Encrypt, which is a free service.
- Note
- Device must be accessible from the outside Inernet. Requires a DNS entry to be established for the device name.
Pros
- Automatically renews.
- Easiest solution.
Cons
- Reliant on the ACME CA used to obtain the certificate.
- Requires device have a name, not an IP address.
Use Cases
Isolated LAN, no Internet access, no DNS or mDNS (.local) capability.
The methods that support an IP address CN are:
- Self Signed Certificate.
- Private Certificate Authority Signed Certificate.
Isolated LAN, no Internet access, accessed via DNS name.
The device certificate CN will be a name, not an IP address.
- Self Signed Certificate.
- Private Certificate Authority Signed Certificate.
- Outside Certificate Authority Signed Certificate.
Isolated LAN, no Internet access, accessed via DNS name, with private ACME server.
The device certificate CN will be a name, not an IP address.
- Self Signed Certificate.
- Private Certificate Authority Signed Certificate.
- Outside Certificate Authority Signed Certificate.
Device can be accessed from the Internet via DNS name
The ACME CA must be able to access the device from the Internet.
- Any of the described methods, including ACME.
Advanced
There are other ways to use ACME, like DNS verification, routable IPv6 addresses, or router port forwarding.