0

The cause that triggered this question is my smart devices. I bought a batch of smart devices for my home a few years ago, then the supplier has released new products and no longer supports the old products. The devices are still very new, and the cost to renew these equipments is high, so I hope to continue using these devices by myself.

A local development environment is built to check the problem. It includes a DNS server and several fake HTTPS server. The gateway accessed my fake HTTPS server as expected, but it immediately interrupted the handshake. Wireshake captured the traffic, the client refused to accept server certificate at ClientHello step of TLS handshake.

    Frame 205: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface \Device\NPF_{02345980-BC21-5641-123D-895432769A33}, id 0
    Ethernet II, Src: 00:12:34:46:04:d2, Dst: 00:12:34:8e:ad:0a
    Internet Protocol Version 4, Src: 192.168.1.183, Dst: 192.168.1.104
    Transmission Control Protocol, Src Port: 47813, Dst Port: 443, Seq: 240, Ack: 985, Len: 7
    Transport Layer Security
        TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
            Content Type: Alert (21)
            Version: TLS 1.2 (0x0303)
            Length: 2
            Alert Message
                Level: Fatal (2)
                Description: Certificate Unknown (46)

The private key and the certificate for my fake HTTPS server is generated by myself, same as the guide from: How do you sign a Certificate Signing Request with your Certification Authority?

Generally speaking, if the HTTPS client allows to install own certificate, the problem can be solved, but most smart devices are cutting system that cannot to support certificate installation function at all, then there is no way to make self-signed certificate effective.

So my question is, is there any way to build own CA system in local development environment? For example, is it possible to find any expired CA private key to generate trusted certificate just in local development environment with some limitation, such as only valid on past time?

Any suggestions are welcome.

debug2020
  • 1
  • 1
  • You mixed up some concepts. First thing first: if the certificate on your device is signed by an external CA (not yours) and you cannot replace the certificate on the device, then **you cannot do anything at all**. SuperSimple Explanation: a certificate is signed by CA using _private key_ and in your certificate store you don't have the private key of external CA. You can try to setup the device date prior to expired date. – Max Sep 13 '21 at 10:39
  • As far as I know globally trusted CAs (at least some of them) offer certificates for intranet networks. You can try this way. – Alexey R. Sep 13 '21 at 12:48
  • @Max You are right in theory. But there is no certificate on the device, the device is just check the certificate whether match the server name according to CA architecture. This architecture is to keep secure in real system but it makes debug much inconvenience. The problem is actually there, that's why I am looking for a solution. – debug2020 Sep 14 '21 at 10:41
  • @Alexey Thanks for your suggestion. Are you mean globally trusted CA can offer certificates for intranet networks? For example, a fake server can be named as www.microsoft.com with a certificate from trusted CA if the server has private IP subnet. is it correct? I will contact CA for a test certificate. – debug2020 Sep 14 '21 at 10:53
  • @Max Add one word, the smart devices are not working not caused by the verdor's certificate expired, but the vendor shutdown there services for old products in their server. I heve to trace the traffic and hope to simulate their server. The difficult is HTTPS communication cannot be decrypted/analyzed. – debug2020 Sep 14 '21 at 11:08
  • You say that there is no certificate on the device. I say that without a certificate there are no encrypted (https) communications. [See this](https://www.youtube.com/watch?v=sEkw8ZcxtFk) – Max Sep 14 '21 at 12:09
  • @Max Thanks for your kindly information of HTTPS tutorial. When we talk about the certificate, we are not talking same thing. Yes, the device must have certificate(s), which of root CA(Certificate Authority). The device does not have the certificate of real server. The certificate of real servers only have one year valid period, it is unreasonable to store it in the devices. The private key of root CA is not possible to get, but maybe one of the lower-level CAs has leaked an expired private key, then we have chance to make our test environment. – debug2020 Sep 14 '21 at 19:36

0 Answers0