Indigo Web Server Certificates

Displaying web content in a secure format using HTTPS requires a security certificate for the site your browser is connected to. These certificates are typically reviewed and signed by a third party authority to ensure they're legitimate. Indigo's certificate is “self-signed”, which means that it hasn't been reviewed by a third party. We must use a self-signed certificate because it isn't possible to have an authority-signed certificate for a local server name (localhost or 127.0.0.1) that doesn't have its own domain name.

Appropriately, your browser will warn you that a security certificate is self-signed and require you to intervene in order to display the requested content. You can choose to respond to this warning each time it appears, or you can tell your browser to trust the certificate – which will typically silence these warnings.

Only local or direct access to the Indigo Web Server will use the self-sign certificate (if https is enabled in the Start Local Server dialog). The Indigo reflector doesn’t use the local certificate; it’s part of the reflector service so it’s a valid certificate from a third-party Certification Authority.

WARNING!!! Be careful when using the steps described below – trusting a self-signed certificate tells your browser that the site you're connected to is secure and trustworthy.

For each of the following examples, the associated certificate (and public key) can be found in the Indigo folder tree at ../Web Assets/cert/indigo-cert.pem and ../Web Assets/cert/indigo-key.pem beginning with Indigo 2024.1 (and in later versions).

Different browsers handle security certificates in a slightly different way (and your method may differ from those listed below depending on the OS and application versions you're using.

1. Open Keychain.
2. From the `File` menu, select `Import Items…`.
3. Point to ../Web Assets/cert/indigo-cert.pem and select 'Open'.
4. The security certificate will be added to the 'Login' keychain.
5. Keychain will mark the certificate with a warning that “This certificate has not been verified by a third party.”
6. Double-click the certificate to open its info pane.
7. Maximize the Trust settings and find “When using this certificate:” and select “Always Trust”.
8. Keychain should require a password to save the change.
9. You may need to click away from the certificate and then re-select it for the updated settings to be displayed in the Keychain list.

iOS and iPadOS will report that “This Connection is Not Private”. This is the way it reacts to insecure websites (which is great) but also how it reacts to sites with a self-signed certificate.

1. On your Mac, browse to the certificate file at ../Web Assets/cert/indigo-cert.pem.
2. Click on the certificate and select “Share” and use Air Drop to share it to your device.
3. On the device, if prompted, select the device you want to install the profile on (e.g., iPhone, Apple Watch, etc.)
4. iOS should respond by saying, “Profile Downloaded”. You can close the notification.
5. Open the Settings app.
6. Near the top, of the main screen, there should be an item, “Profile Downloaded”.
7. Click the downloaded profile, review its contents, and then select “Install”.
8. Enter your passcode.
9. You will be warned, “The authenticity of “Indigo Domotics” cannot be verified.”
10. Select “Install”, and then select “Install”.
11. Select “Done”

Under “VPN & Device Management”, you should see a configuration profile for “Indigo Domotics”. If desired, you can remove the profile from this screen.

In Firefox, you can add an exception for each Indigo server address you use.

1. In Firefox, select 'Firefox' > 'Settings…'.
2. In the search box, type “Certificates”.
3. Select “View Certificates”.
4. Select the “Servers” tab.
5. Select “Add Exception”.
6. Enter the URL for your server. For example, https://localhost:8176.
7. Click “Get Certificate”.
8. Read the warnings and then select “Confirm Security Exception”.
9. You should see the security certificate exception listed in the Certificate Manager.

Chrome for MacOS should use the same keychain entry that's described under Safari MacOS above. If you have installed the certificate for Safari, you don't need to do anything else. If you haven't installed the certificate for Safari, your best approach is to follow the steps for Safari MacOS