Connect to an Embedded Web Server with Automated Certificate Management

October 15, 2018 Wilfred Nilsen, Real Time Logic

When you create a product containing an embedded web server, you’re faced with the problem of ensuring that your users can easily and securely communicate with your product over a private network, no matter what device or browser they’re using to access it. Existing solutions require that users jump through lengthy technical hoops to set up a Public Key Infrastructure (PKI) solution, or manually bypass uncomfortable warning screens from browsers flagging their connection with your product as untrustworthy or uncertified.

In today’s hyper-connected digital landscape, products containing embedded web servers are reaching a user base with a wider range of technical knowledge, many of whom want to avoid dealing with complex security issues. For these users, it’s necessary to provide a solution that means they’ll never have to think about the problem. Products like SharkTrust, an automated certificate management service, simplify the process of setting up a secure connection with an embedded web server.

HTTP Limitations

Some device makers avoid the certificate-management problem altogether by simply offering an HTTP connection, but that comes with some disadvantages. For example, many companies mandate security even on a private network, especially when critical and sensitive information passes across it. Failing to provide HTTPS might make them hesitant to use your product. Also, many browsers are flagging all HTTP connections as insecure, which means that not only would users be confronted with an uncomfortable message warning them of an insecure connection, but many browser features that rely on HTTPS, such as password managers, won’t work. This can damage your product’s user experience.

Products featuring a self-signed SSL certificate still face problems with modern browsers, which don’t trust these certificates, triggering a warning of an insecure connection. While these warnings can be bypassed, doing so makes the connection essentially an HTTP connection, which limits browser features that rely on HTTPS, resulting in a negative experience.

Purchasing a certificate from a Certificate Authority (CA) is a way for users to have a secure HTTPS connection when communicating with their devices. However, CAs don’t issue certificates for private networks, and this means your users must implement a PKI solution to get one. Existing PKI solutions typically require users to go through a lengthy, technically-challenging setup process, which makes using your product more difficult to use.

With an automated certificate management service like SharkTrust, users will have an easier time setting up your product on their network and securely connecting to it from any device or browser. For starters, your product doesn’t need a manually configured IP address, and instead can connect to the user company’s private network, getting a dynamic IP using DHCP. The device then connects to the online service, registers the private IP address, and downloads the SSL certificate, avoiding manual configuration.

For the user, accessing and connecting with a device is streamlined and comfortable. After connecting to an online web interface, they can access a list of all registered devices on their private network. Securely connecting to a device is as simple as clicking on it in the list.

Wilfred Nilsen, Founder and CTO of Real Time Logic, has 28 years of experience in designing embedded network software. Motivated by a vision of a connected embedded systems, he designed the Barracuda App Server with its suite of secure IoT protocols, tailoring it for the small footprint, real-time needs of embedded microcontrollers and microprocessors.

Previous Article
IAR Systems leads the way for secure IoT development based on Arm TrustZone and Arm Cortex-M

The leading independent Arm tools provider enables companies to go to market early with robust, secure IoT ...

Next White Paper
Strategies for Deploying Xilinx's Zynq UltraScale+ RFSoC
Strategies for Deploying Xilinx's Zynq UltraScale+ RFSoC

On February 21st, 2017, Xilinx® announced the introduction of a new technology called RFSoC with the rather...