0

I updates firmware to my microcontroller with https over the air. For this, I generate a download link and write this to my code. However, anyone that reach this download link can download my firmware and coppy it.

Then, my question shows up. Is there any possible to create a certificate, password, or encrypt etc. for my website link? I want only the PC or microcontroller that have certificate can connect my website and download firmware.

Thanks.

muhambykar
  • 1
  • So, are you asking about client side certificates? They do exists, and they are used. If you have a Certificate Authority you can emit a certificate to a client, install it on the client machine, and if client machine provides that certificate when browsing to the server (and web server is configured to allow client certificates) your client should be able to authenticate himself. Do note that: a) I dunno if you have control over the client machine downloading mechanism and b) You I assume you have control over the webserver, you can configure it and add the certificate check. – Cleptus Oct 02 '19 at 08:12
  • This is [a related question](https://stackoverflow.com/questions/30954727/client-certificate-authentication) – Cleptus Oct 02 '19 at 08:14
  • Thanks for your answer. But , I want to my website accessible for only my client that have certificate. Nobody could not connect website except him. – muhambykar Oct 02 '19 at 09:20
  • And that was exactly what I was trying to explain to you. There are 3 key steps. **a)** The client must provide the certificate to the request (it varies how it is done, web browser, c# code, java code, etc...) **b)** Web server must be configured to allow (in your use case require) client certificates. **c)** Your web server should check the client certificate to make sure it is the desired one. – Cleptus Oct 02 '19 at 09:41
  • @muhambykar the answer is correct, if the server is requiring a client certificate, then only the client having the client certificate (and its private key) would be able to connect. That's what you've asked So - what is exactly your problem to be solved? You will need to learn multiple tasks to get it all working, such as setting up the web server, generating the client certificates, setup TLS using the certificates, ... – gusto2 Oct 02 '19 at 09:41
  • Sample [IIS configuration](https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/), relevant step is four. Do note we have no idea if your web server is a IIS. – Cleptus Oct 02 '19 at 09:51

1 Answers1

0

I want only the PC or microcontroller that have certificate can connect my website and download firmware.

Lets see commonly used options.

We place a few assumptions

  • You are using TLS (https).
  • You have control over your web server (apache, nginx, .. whatever).

Basic authentication

The simplest option is using basic authentication. In this option the client sends its username and password as part of the request. Example httpd configuration. For other web servers, just search the documentation.

This is the simplest option and yet secure (while using https).

Downside is that you need to manage the clients' usernames and passwords (if you don't want to share the same credentials between multiple devices).

Client credentials

Client credential is a way to authenticate the client on the transport (SSL) level.

Advantage - you can allow access clients without the server having the client's private key.

Disadvantage - It is more complex process (you need to create client keypairs, optionally sign them with a certificate authority or trust the certificates explicitly, manage revocations, ...) Example Apache server configuration

Cleptus
  • 3,446
  • 4
  • 28
  • 34
gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Check my last comment in the OP question, you could add my linked IIS configuration to the apache one. – Cleptus Oct 02 '19 at 10:14