HackMD - Collaborative Markdown Knowledge Base

## Server certificate investigations Last week the investigations on the Proemion server certificate expiration continued. This issue has been around for quite some months now and has raised some questions again recently. The short summary and background is that on our Proemion servers are running with certificates that are used to facilitate setting up secure connections between our Proemion devices, such as the CANlink mobile 3000, and the server. Currently there are three different certificates in use on the server. A root certificate that is signed by a third party authority we trust and an intermediate certificate that is derived from that root certificate. There is also the eventual server certificate that is generated from the intermediate certificate. For a secure connection the complete certificate chain needs to be verified. The eventual server certificate is not stored on our Proemion devices but communicated from the server for device verification. The server certificate is not considered as part of this investigation, only the intermediate and root certificate since they are stored on the Proemion devices. Currently we have two main issues that we need to clarify, namely certificate expiration and certificate replacement. ### Certificate expiration and replacement Currently our Proemion devices are only capable of verifying the root certificate that is installed on the Proemion server and it recognizes no other root certificates than that exact specific one. Also we have currently no means of updating our devices to recognize other root certificates than this one. When using a normal laptop with a browser like Google Chrome or an Android phone you are usually able to verify your secure connection against several root certificates generated from different authorities. Also these client side certificate databases on your laptop or phone are regularly updated. Since we only have the possibility to verify against a single root certificate from our Proemion devices an issue arises when the server certificates are no longer valid. The currently used intermediate certificate expires in March 2023, which is the biggest concern. The root certificate expires in 2031 which gives us some additional time for further investigation. The first proposed solution from a few months back to disable the date check on the Proemion devices side and as such ignore the invalid dates of the certificates, is no longer considered a valid solution. This would mean we would run our Proemion servers with invalid certificates and that is considered a security risk. ### Current action points Currently Fatma is doing a lot of testing to see if the invalid intermediate certificate in March 2023 are actually an issue for us or if replacing that certificate would not cause any problems. As of now it seems we do not have an issue with the March 2023 expiration of the intermediate certificate since the server is sending that certificate to the clients, our Proemion devices. The expiration of the root certificate in 2031 is a bigger issue. Once that root certificate is exchanged for a new certificate our devices will no longer be able to setup a connection to the Proemion servers. This is because the verification of the root certificate is currently hard coded into the firmware of our devices and no other root certificates will be accepted by the devices. Big thank you to Fatma and Gabor for putting all the effort into clarifying and testing the proposed solutions!