Indigo Web Server Certificates

Displaying web content in a secure format using HTTPS requires a security certificate for the site your browser is connected to. These certificates are typically reviewed and signed by a third party authority to ensure they're legitimate. Indigo's certificate is “self-signed”, which means that it hasn't been reviewed by a third party. We must use a self-signed certificate because it isn't possible to have an authority-signed certificate for a local server name (localhost or 127.0.0.1) that doesn't have its own domain name.

Appropriately, your browser will warn you that a security certificate is self-signed and require you to intervene in order to display the requested content. You can choose to respond to this warning each time it appears, or you can tell your browser to trust the certificate – which will typically silence these warnings.

Only local or direct access to the Indigo Web Server will use the self-sign certificate (if https is enabled in the Start Local Server dialog). The Indigo reflector doesn’t use the local certificate; it’s part of the reflector service, so it’s a valid certificate from a third-party Certification Authority.

WARNING!!! Be careful when using the steps described below – trusting a self-signed certificate tells your browser that the site you're connected to is secure and trustworthy.

For each of the following examples, the associated certificate (and public key) can be found in the Indigo folder tree at ../Web Assets/cert/indigo-cert.pem and ../Web Assets/cert/indigo-key.pem beginning with Indigo 2024.1 (and in later versions).

Different browsers handle security certificates in a slightly different way (and your method may differ from those listed below depending on the OS and application versions you're using.

Note: Users who have upgraded to Sequoia (macOS 15). Apple has replaced the default application for managing passwords with the Passwords app and moved the Keychain Access app to a system folder. The Keychain Access app is most easily found by opening Spotlight Search and searching for “Keychain Access.app”. You can also reach it by browsing to /System/Library/CoreServices/Applications/Keychain Access.app.

1. Open Keychain.
2. From the `File` menu, select `Import Items…`.
3. Point to ../Web Assets/cert/indigo-cert.pem and select 'Open'.
4. The security certificate will be added to the 'Login' keychain.
5. Keychain will mark the certificate with a warning that “This certificate has not been verified by a third party.”
6. Double-click the certificate to open its info pane.
7. Maximize the Trust settings and find “When using this certificate:” and select “Always Trust”.
8. Keychain should require a password to save the change.
9. You may need to click away from the certificate and then re-select it for the updated settings to be displayed in the Keychain list.

iOS and iPadOS will report that “This Connection is Not Private”. This is the way it reacts to insecure websites (which is great) but also how it reacts to sites with a self-signed certificate.

1. On your Mac, browse to the certificate file at ../Web Assets/cert/indigo-cert.pem.
2. Click on the certificate and select “Share” and use Air Drop to share it to your device.
3. On the device, if prompted, select the device you want to install the profile on (e.g., iPhone, Apple Watch, etc.)
4. iOS should respond by saying, “Profile Downloaded”. You can close the notification.
5. Open the Settings app.
6. Near the top, of the main screen, there should be an item, “Profile Downloaded”.
7. Click the downloaded profile, review its contents, and then select “Install”.
8. Enter your passcode.
9. You will be warned, “The authenticity of “Indigo Domotics” cannot be verified.”
10. Select “Install”, and then select “Install”.
11. Select “Done”

Under “VPN & Device Management”, you should see a configuration profile for “Indigo Domotics”. If desired, you can remove the profile from this screen.

In Firefox, you can add an exception for each Indigo server address you use.

1. In Firefox, select 'Firefox' > 'Settings…'.
2. In the search box, type “Certificates”.
3. Select “View Certificates”.
4. Select the “Servers” tab.
5. Select “Add Exception”.
6. Enter the URL for your server. For example, https://localhost:8176.
7. Click “Get Certificate”.
8. Read the warnings and then select “Confirm Security Exception”.
9. You should see the security certificate exception listed in the Certificate Manager.

Chrome for MacOS should use the same keychain entry that's described under Safari MacOS above. If you have installed the certificate for Safari, you don't need to do anything else. If you haven't installed the certificate for Safari, your best approach is to follow the steps for Safari MacOS

The following example shows how to configure a Node Red flow that uses the Indigo Web Server (IWS) API to operate a lamp device. The example is only meant to show how to use a self-signed certificate and public key to enable the flow to connect to the IWS using https instead of http when using the IWS on a local network via 10.0.1.123, 127.0.0.1, or localhost (using the API via the Indigo Reflector Service uses a different CA-approved security certificate and the flow is configured the same as it would be using any API via https).

Using the flow via https requires a few settings. Enter the preferred URL to point at the local IWS address 10.0.1.123, 127.0.0.1, or localhost with the URL:

https://<INDIGO IP ADDRESS>:8176/v2/api/command/

for example,

https://10.0.1.123:8176/v2/api/command/

select TLS, and use bearer authentication along with a valid token key (from your Indigo Account Authorizations).

Then, use key and certificates from local files and point them to the certificate and public key files located in

/Library/Application Support/Perceptive Automation/Indigo 2024.1/Web Assets/cert/

Several other screenshots complete the example: