Communication with device which has only a self-signed certificate

Hello together

I am new to OpenHAB and I am interested in writing an OpenHAB add-on that allows OpenHAB to read and write values from my device via the REST API provided by my device.

The communication should be over HTTPS. Since my device runs in a local network and has no connection to the internet (OpenHAB also runs in this local network) my device can only provide a self-signed certificate.

Now my question: Would OpenHAB be able to access the REST API from my device despite a non-certified SSL certificate? If yes, are there any examples or documentation? I couldn’t find anything concrete so far and would be very grateful for your help!

Kind regards

Have a look to Java connection to HTTPS with self signed cert . From that what I read in that thread it looks like it is what you are looking for.

I’m all for defence in depth but given this, what treat are to trying to mitigate here? Are you worried about people on your LAN sniffing the traffic between your device and OH?

If you don’t have a concrete answer to that question, and since you control both ends of the connection, maybe http is an ok way to go and you can save yourself a lot of headache.

Anyway, if I understood what was discussed in the thread @Wolfgang_S linked to, an alternative approach would be to create a CA and add the CA’s public key to the certificate trust store for the Java running OH. Then create and sign a CSR for your device’s certificate.

Since Java is configured to trust certificates signed by your CA, it will trust the certificate from your device.

That’s basically how LetsEncrypt and all other CAs work. Your OS/browser had a list of CAs that it trusts and if it sees a certificate signed by a trusted CA, it trusts it too.

Thank you very much for your quick answers, ideas and references!

I will take a close look at the approaches.

@rlkoshak: Yes, that is exactly the case I need to cover. The data must also be protected when a person gets access to the communication on the LAN.