Embedded webserver and certs

Question

I have an app with an embedded webserver. This webserver can now do SSL via the OpenSSL package :)

Now to the cert issue. This app is sold, which I say because it's not just sitting on a server I own -- it gets installed on thousands of computers. I want my customers to be safe so I want them to use SSL as painlessly as possible. Right now we create our own CA, then create self-signed certs. This means all of our customers (and their users) need to either install their custom, installation-specific CA, or live with the untrusted root warning from the cert, neither of which are appealing.

How to get around that?

We either need to:

1. Make it dead-simple to install our CA (which browsers purposely make quite hard -- lots of scarey warning dialogs)
2. Somehow get all of those customer certs legitimately signed by a browser recognized CA.
3. Force the customer to go buy their own cert and install it

I don't see how we'll do #1, so we're looking at #2. #3 is pretty much out of the question.

It occurs to us that we could just buy an SSL cert, and ship it with our product -- yes, everyone is using the same cert, and the cert and private key could/would be leaked into the public domain... hmmm... Probably don't want our name on that for liability's sake...

I guess the problem is that we're working against the purpose of CAs in the first place. Any thoughts on how to make this easy and safe for the user? (Assume man-in-the-middle attacks aren't a concern -- has one ever actually been documented??)

Answer 1

There is no simple easy solution to this. If this was easily solved the security of the SSL certificate system would be poor.

As you said, your choices are limited as to how to avoid the browser warnings. Each approach might be good depending on the application.

1. Install root CA on client browsers

This is a reasonable solution if the application is used internally or if the clients are expected to install something to use the application. This is probably also the lowest cost solution since no extra expense is necessary. However, if the application is going to be used by the population at large, then this isn't a reasonable solution.

2. Buy a commercial root CA signed certificate

If your application is open to the internet, this is most likely required. However, if you're selling the application rather than simply offering its services, this might not be good for liability reasons as you mentioned.

3. Get customer to buy their own commercial root CA signed certificate

If your application is being sold to be used by clients, this is probably reasonable. You can offer the application using a self-signed certificate as a base option, and offer to your client to use their certificate if they wish. Many companies already have SSL certificates for their sites.