Hi,
I'm working on an embedded device that makes heavy use of SSL. The
primary use of SSL is for authentication, users need to make sure that
they are talking to the correct device. As a result, each device has a
few SSL certificates that are created, signed and written to the
device during manufacturing.
With the certificates being signed in the factory, the common name for
the https certificate is just '<product name> <serial number> HTTPS'.
However, doing this results in a 'Domain Name Mismatch' with firefox
and a rather scary (for users) looking warning with the words "We
recommend that you close this webpage and do not continue to this
website" from IE7.
So I need to do something to make the web browser happy, because right
now it really confuses people. I was wondering what is the proper way
to deal with this issue?
A few of the embedded devices that I've played around with all seem to
be using self signed https certificates. This won't work for our
application, because non-browser software that uses the https
interface wants to be able to authenticate that it is talking to the
correct device, so the https cert needs to have trust back to our root
cert. Right now, I'm leaning towards having a per device certificate
that is signed by our CA and then at runtime re-sign the https
certificate, using the per device certificate, with the updated
subject line. It seems silly that the browser is putting so much trust
into DNS or an IP address. I'm hoping someone knows of a better
solution to this problem.
Also, do common web browsers support multiple having multiple possible
common name entries in a subject? Most of the devices won't have DNS
names, but in the rare case that they do, I'd like to have the browser
not complain about using either the IP or the common name.
Thanks,
Clem
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
