Types of Certificate Issuers

Self Signed Certificate

The certificate is auto-generated by a NetBurner device and is its own CA.

Pros

Simple solution for a single NetBurner device accessed by one or two computers.
To avoid a browser warning message the certificate must be downloaded from the NetBurner device and installed in all computers and/or browsers that accesses the device.
When a certificate expires, a new certificate will be automatically generated.

Cons

Multiple NetBurner devices and/or Computers: Each have their own unique certificate, and each device's certificate must be downloaded and installed into each computer that needs access.

Note: When a certificate expires or the IP address/name changes, the new certificate must be downloaded from the NetBurner device and installed in the computer and/or browser.; If the name.local feature can be used (eg MyDevice.local), the certificate loaded in the computer/browser will still be value (no need to upload a new one). In order to use local names, the auto-generation must be configured to use local names.

Private Certificate Authority Signed Certificate

A Certificate Authority (CA) certificate is generated on an external computer, which in turn is used to sign a device certificate that is later uploaded to a NetBurner device.

Pros

The same CA certificate can be loaded on all computers and used to access all the NetBurner devices without a browser warning.

Cons

The application must have the ability to receive and store a device certificate. There are examples of this, just not as simple as an auto-generated certificate.

Note: When a device certificate expires, a new device certificate must be generated and uploaded to the device. However, the CA certificate does not need to be reloaded into the computer and/or browser.

Outside Certificate Authority Signed Certificate

Similar to the Private Certificate method. In this case the CA certificate is from a known company and pre-loaded into the computer and/or web browser. The procedure is more complicated. A certificate request must be generated, sent to the CA, and the CA will in turn send back a device certificate signed by their CA certificate. The device certificate must then be uploaded to the NetBurner device.

Pros

Computers and/or browsers will already have the CA certificate installed.

Cons

Each time a device certificate expires, a new certificate must be requested from the outside CA and uploaded to the NetBurner device.
There may be fees involved to purchase a device certificate.

ACME Client

Automated Certificate Management Environment (ACME) is a protocol that makes it possible to automate the issuance and renewal of certificates by a thrid party CA. It is essentially an automated version of method number 3. A key is generated on the NetBurner device, which is used to obtain a device certificate from an ACME compliant server CA. NetBurner devices currently support Let's Encrypt, which is a free service.

Note: Device must be accessible from the outside Inernet. Requires a DNS entry to be established for the device name.

Pros

Automatically renews.
Easiest solution.

Cons

Reliant on the ACME CA used to obtain the certificate.
Requires device have a name, not an IP address.

Use Cases

Isolated LAN, no Internet access, no DNS or mDNS (.local) capability.

The methods that support an IP address CN are:

Self Signed Certificate.
Private Certificate Authority Signed Certificate.

Isolated LAN, no Internet access, accessed via DNS name.

The device certificate CN will be a name, not an IP address.

Self Signed Certificate.
Private Certificate Authority Signed Certificate.
Outside Certificate Authority Signed Certificate.

Isolated LAN, no Internet access, accessed via DNS name, with private ACME server.

The device certificate CN will be a name, not an IP address.

Self Signed Certificate.
Private Certificate Authority Signed Certificate.
Outside Certificate Authority Signed Certificate.

Device can be accessed from the Internet via DNS name

The ACME CA must be able to access the device from the Internet.

Any of the described methods, including ACME.

Advanced

There are other ways to use ACME, like DNS verification, routable IPv6 addresses, or router port forwarding.