Secure Sockets Layer (SSL) and Web Browsers
When you first use an SSL connection (https) to access groov Manage on a groov EPIC processor from a browser like Chrome, Firefox, or Safari, you’ll likely receive a browser warning like “Your connection is not private” or “Your connection is not secure”.
This issue isn’t specific to groov EPIC processors. Any server (and groov EPICs are servers) you attempt to connect to using SSL/TLS security will need a trusted Server Certificate installed on it authenticating the server by a trusted authority. (This goes for PCs, computer servers, and even Raspberry Pis.)
This happens because the default Server Certificate installed in the groov EPIC processor at the factory is self-signed by the EPIC itself, which is not considered a trusted authority.
You can accept the browser’s risk message, or make an exception within the browser for each connection, and then access your groov EPIC. However, every subsequent connection to the EPIC from your browser will generate another risk message or option to create an exception.
How can we create a trusted, secure connection between the browser (client) and the groov EPIC processor (server) and avoid risk messages or repeatedly making exceptions?
There are several options:
- Obtain a valid signed Server Certificate from a known, trusted Internet-based Certificate Authority (CA) to authenticate your connections. Example of these CAs are Comodo, RapidSSL, Symantec, LetsEncrypt, and more. This approach can be both involved and expensive to set up, but once completed, allows virtually any browser to connect to groov EPIC processors with the signed Server Certificate without risk messages and exceptions.
- Ask your IT administrator about a corporate signing method using your organization’s Certificate Authority. They can create a trusted, signed Server Certificate for your groov EPIC processor. Once installed, anyone logged onto the corporate LAN will have an appropriate Client Certificate that can securely authenticate to your groov EPIC’s Server Certificate. This approach requires working closely with your IT team, but is the quickest and simplest method, if available.
- Create your own personal Certificate Authority on your local filesystem, and use that to create and sign your own Client Certificates for your browsers, and individual Server Certificates for each groov EPIC processor. This approach requires little, if any, IT involvement, and is ideal for smaller scale groov EPIC architectures.
For this tutorial, we will show you how to perform the steps for the last option: creating your own CA signing key, creating Client Certificates and Server Certificates, and uploading appropriate certificates to browser trusted stores and groov EPIC processors so you can secure your connections and avoid browser warning messages.
We highly recommend the person completing this tutorial possesses general knowledge and experience with the command line in terminal programs like Bash, PuTTY, Terminal on Mac, or others. Also, experience with a text editor like Notepad, Visual Studio Code, Nano, or any other text editor is highly recommended.
Before beginning this procedure, we also recommended that you consult with your network administrator and/or IT team to discuss the creation and distribution of these certificates, and determine whether it fits your needs.
Security cannot be boiled down to a series of steps; it must be an ongoing process.
The goals are to create X.509 PKI-based Certificate Authority (CA) signing keys, client certificates, and server certificates for any number of devices that you want to securely connect.
This guide is divided into three sections, one for each goal; the Certificate Authority (CA), the Client Certificate (CC), and the signed Server Certificate (SC). Note that you do the first three steps only once (to set up the initial Certificate Authority and Client Certificate). Once completed, you repeat the last four steps for each groov EPIC processor you want to securely connect to using your browser.
- Step I: Use OpenSSL tools on your Windows, Mac, or Linux computer to create a Certificate Authority secret key file (CA). This secret key file will be used to authenticate and sign all other required files, and should never be distributed or shared with anyone.
This key is protected by a passphrase and should be kept safe and secure.
- Step II: Use OpenSSL tools to create a Client Certificate that you’ll distribute to others.
- Step III: Install the Client Certificate into your operating system or browser’s list of trusted authorities on any PCs, mobile devices, or other device that need secure access to your groov EPIC(s).
- Step IV: Use an ASCII text editor to create a Subject Alternate Name (SAN) extension file which associates a Server Certificate with a specific groov EPIC hostname or static IP address. This file is used during the creation or update of each Server Certificate.
- Step V: Use groov Manage to update the groov EPIC processor’s Certificate Signing Request (CSR) and download it to your PC.
- Step VI: Use OpenSSL tools to sign the CSR file and generate the Server Certificate file for your groov EPIC(s).
- Step VII: Use groov Manage to install the Server Certificate file into your groov EPIC processor and restart your browser to test your secure connection.
To give a broad overview of the moving parts, here is a list of all the files you will download or generate throughout this guide.
These files are associated with the Certificate Authority and Client Certificate (steps I, II & III):
[myCertificateAuthority]-CA.key— The unique, passphrase-protected, secure Certificate Authority (CA) key file used to generate Client and Server Certificates.
[myClientCertificate]-CC.pem— The Client Certificate (CC) file you distribute to clients that will be installed on operating systems or browser trusted stores.
[myClientCertificate]-CC.srl— The automatically-generated file associated with the Client Certificate (CC) that gets incremented for each server certificate you sign.
These files are associated with the Server Certificate (SC) for each individual _ groov_ EPIC processor (steps IV-VII):
[myEPIC]-SAN.ext— The extension file used to set the hostname for the server certificate; specifically, it sets the Subject Alternate Name (SAN), a critical part of the Server Certificate.
[myEPIC]-CSR.pem— The Certificate Signing Request (CSR) generated by the groov EPIC processor.
[myEPIC]-SC.crt— The Server Certificate (SC) you will upload to the EPIC using groov Manage.
[myEPIC]-PK.pem— The Private Key (PK) downloaded from each groov EPIC processor needed during the Server Certificate installation using groov Manage.
This guide was written specifically using Windows 10 Pro (version 10), _groov EPIC PR1 firmware version 1.3.2, Chrome 69, Firefox 62, and XCA 2.1.1._
While many older and newer versions may work with this procedure, be aware that there may be some differences in the functionality and interfaces of different versions.
Continue to Create the Certificate Authority (CA) (step I)
Or go to EPIC Developer Overview Home