OpenTherm Gateway Secure remote access

This Forum is about the Opentherm gateway (OTG) from Schelte

Moderator: hvxl

OpenTherm Gateway Secure remote access

Postby NvBgm » Thu Feb 25, 2016 3:27 pm

Hello, I am a new user of the OTGW-usb that is connected on my Remeha Calenta and works perfect for me.
I just have one question about the remote acces of the otmonitor program.
I am running the OTM programm on a raspberry that is connected to my house network.
Now i would like to connect it from my smarth fhone via the internet.
I could open a port on my router but that is not a secure idee i think.
Also read the artikel on the OTGW site ( )

So i would like to make up a encrypted connection.
Thats not easy (for me at least) :-) so i hope to get some answerds on my questions.

First is it possible to make the server/client certificate on my desktop with windows 10 and copy this to the raspberry in the auth folder ??
And seccond how to setup the client certificate on my smart fhone ?

(Sorry for my poor englisch but i hope you can read and understand it)

Starting Member
Starting Member
Posts: 2
Joined: February 2012

Re: OpenTherm Gateway Secure remote access

Postby hvxl » Fri Feb 26, 2016 8:42 pm

OTMonitor works with certificate files in the standard format. So you can make them anywhere you like. Just make sure they are called server.key, server.crt, and CA.crt when you put them in the auth directory. Those are the only three needed by OTMonitor.

How to install a client certificate on your phone depends on the OS. You can search the web for instructions for your particular OS.
Senior Member
Senior Member
Posts: 1303
Joined: June 2010

Re: OpenTherm Gateway Secure remote access

Postby gda01 » Sun Oct 02, 2016 9:55 am

Last month (Sep 2016) I installed the Opentherm gateway. (heater: Vaillant hrPRO; thermostat: Honeywell Chronoterm Touch Modulation; Raspberry 2B, OT monitor 4.3, OT gateway 4.2.5). I created a custom page to set the Override setpoint via my android smartphone.

To have a secure access, with Openssl I created a CA and a server certificate. (OTmonitor can create certificates using 1024 bit keys. Current browsers find that not secure enough.) In my router I configured a port forwarding. With this configuration I have https access to the OTmonitor. For authentication I need to enter a username-password. This all is working fine.

My issue is, I have not yet succeeded in getting a client certificate working.

With the Openssl tooling I created a client certificate, signed with my CA. I succeeded in adding the client certificate with a Dbus command into the OTmonitor auth.db. I checked this with SqlightBrowser.

When I configure OTmonitor to require client certificate authentication, and try to access OTmonitor with my client certificate, I get the response 'forbidden:'.

So apparently OTmonitor does not recognize my certificate, or deems it invalid. In the tcl code I see a set of validations done on the certificate, as expiration date and check against auth.db. However my understanding of tcl is insufficient to understand the other validations.

What points should I should take care of in creating a client certificate with Openssl that will be accepted bij OTmonitor?
Starting Member
Starting Member
Posts: 4
Joined: October 2016

Return to Opentherm Gateway Forum

Who is online

Users browsing this forum: No registered users and 1 guest