[OT] IoT security: legit SSL certificates for intranet devices?

So here's my issue, and as I see it a major issue for IoT devices in general that are not exposed to the internet:

To provide secure communication, a device needs an SSL cert. Need this for HTTPS, secure websockets, etc. Problem is that browsers have declared war on self-signed certificates and even unrecognized CA's (so much for using mkcert). So then yes, you can use Let's Encrypt, but that requires exposing your device to the internet...and that's a no go in most customer environments, especially when there's no internet to connect to. But it's also crap to transmit everything in plain text, including passwords, as rogue devices on the intranet could be listening.

Requiring users to add a custom CA (a la mkcert) to their trusted CAs is way too advanced for the lay user and isn't going to work either.

Has anyone else been faced with this, and if so, what did you do? Right now it looks like plaintext HTTP and unencrypted websockets...

TIA, Jake

Good news - no it doesn't!! Well, maybe.

Have a look at their ACME v2 API, it provides an alternative using secure DNS configuration.

The downside is that you need to be using the right kind of DNS service. Thankfully a number of DNS providers have this feature including Cloudflare who I use.

The alternative is to set up your own mini PKI (Public Key Infrastructure - the toolset that creates and manages certificates). This can be as simple as creating not just the cert you need but also a root cert and then distributing the public part of the root cert to all devices that need to validate certificates from your IoT devices. I think you already know that. Of course, you can get more sophisticated toolchains - I'm a bit rusty on all of that these days I'm afraid.

Just be warned that this route comes with a very steep learning curve if you need to be able to rely on the security. You should find some tutorials though on the Internet. It is also a pain to have to distribute and install the root certs everywhere as you've said. But once done, it's done - until you need to update them.

There are various methods to support the deployment of certs which can take the pain away from the users. However, you would need to share a fair bit more about the setup that you have for me to try and help with more detail (or at least some pointers).