Certificates for SSL-enabled embedded systems

Question

I have an embedded system that I expect to be in use for the next 15 years or so, and it has an https-based administration console. From what I understand:

• If I have a self-signed certificate, web browsers will complain.
• If I have a CA-signed certificate, it will expire fairly soon over the lifetime of the product, and web browsers will complain.

Is there any way to have a long-life certificate so browsers won't complain, or is it necessary to release new firmware every time the certificate expires over the life of the product? Or provide a way for the users to load a new certificate?

Answer 1

This could be one of the rare cases where a self-signed certificate is the correct approach. How many people will need to administer the box? I would think few, and part of the deployment of the box would be to have the certificate installed into the truststore of the administrator's browser.

Answer 2

Geotrust issues certs for up to 6 years.

I would probably build a firmware update mechanism in anyway in case your issuer (or someone along the line) is compromised and gets added to the Certificate Revocation List.

Is your device expected to be connected to the internet? Building a re-issue process so that it can get a new, trusted cert every few years via the network shouldn't be too hard.

If your security model would allow you to use a self-signed cert, have you considered why you are encrypting the communication at all? A non-trusted cert (and teaching users to ignore the warning) is as bad (or worse) than no encryption at all in many cases.

As an aside, I really hope you're not planning on rolling out the exact same cert to every device you construct. If so, and you have a download process that makes the cert available to the general public via firmware updates, you're back to square 1 of having communications easily spoofed.