A PKI is not needed. Using an existing public PKI is obviously out of question for Swisscom anyway. What's needed is just self-signed certificates here - a couple lines script in openssl just to have a default one and even if it's the exact same cert on all boxes it's not a problem. This way, you get an alert the first time you browse to it, and trust that certificate. If another one is suddnely presented through a MITM attack, it's immediately noticeable as the browser would alert again. But once this is put in place, adding the ability for users to paste their own certificate (.crt and .key) in base64 form would be very easy, just a change to the user interface. Users could then decide to use Let's Encrypt or their own PKI, etc. Just like Fritz!Box in fact 🙂 Importing your own certificate to the FRITZ!Box
Mehr anzeigen