does it required to have individual server SSL certificate for each embedded device?

Question

I have an embedded device which runs a web server.I need to integrate the server SSL certificate for the web server. If I have multiple such boxes, is it required to have different SSL for each box?

Answer 1

You can buy a wildcard certificate say for *.mydevices.mydomain.com, then give each device a name like myRouter1.mydevices.mydomain.com and that's it. Certificate Authorities do sell wildcard certificates, yet they are more expensive (but if you have many devices, this will be cheaper).

You need to consider one thing though - if the certificate's private key leaks from the device in any way (eg. the device is stolen altogether), you can revoke the certificate. But if you have one certificate shared on all devices, then the leak will invalidate all devices at the same time and you will have to replace the no more valid certificate on all devices.

Answer 2

Of course, you're going to get an "it depends":

• If your users require a CA-signed certificate, then you'll have to pay for one for each box and load it some way. Browser's then won't complain...

• If your users will allow a self-signed certificate, then you can just have the box generate one when it is commissioned. But, your user's browser's will complain...

• If you ship with the same certificate, then it's kind of a security problem for you.

I would build a mechanism in so the user can load a certificate to the box in the field. Then you can satisfy whatever need comes up.