Device Certificate Settings

Obtaining a Device Certificate

Obtaining a Device Certificate is a quite involved process:

• A private key and a certificate signing request has to be created on the device
• The certificate signing request is sent to the Certificate Authority (CA) chosen by the tenant for its fleet of devices
• The CA checks that the device issuing the signing request is actually allowed to connect the tenant
• The CA signs the signing request sending back the resulting certificate to the device
• The tenant adds the signing certificate of the CA to its trusted list of certificate

There are numerous variations notably on the contract between the tenant and the CA, the chain of signing certificates and the checks to be performed before approving a signing request. However, the outcome of the certificate signing process is always the same. It consists in three files:

• The device private key - generated by the device and which must be kept secret as this the proof of ownership
• The device certificate - signed by the CA and shared by the device on-demand
• The signing certificate - the certificate used by the CA to sign the certificate and by the tenant to check device certificates

Installing a Device Certificate

The device certificate must be installed on the gateway device, i.e. on the same box as the MQTT broker establishing the MQTT connection to the cloud over a bridge.

ls -lh /etc/mosquitto/certs

-r-------- 1 mosquitto root      1679 oct.  21  2022 demo-device-007.key
-r--r--r-- 1 mosquitto root      2095 oct.  21  2022 demo-device-007.pem

Note that only the MQTT broker should be able to read or write the private key, while the certificate itself is public.

Then thin-edge.io must be told where the certificate is stored. Note that the device certificate file must contain not only the device certificate itself but also the signing certificate (so the cloud endpoint can check the chain, starting from the device certificate up to the trusted root).

# Create a new cert chain, which contains both the device public cert and the signing (in that order)
cat demo-device-007.pem > demo-device-007.chain.pem
cat signing-cert.pem >> demo-device-007.chain.pem

# Configure the cert chain file as the main cert to be used by **thin-edge.io**
tedge config set device.cert_path /etc/mosquitto/certs/demo-device-007.chain.pem
tedge config set device.key_path /etc/mosquitto/certs/demo-device-007.key

The tedge cert show command can be used to look at the content of the certificate.

tedge cert show

Device certificate: /etc/mosquitto/certs/demo-device-007.chain.pem
Subject: O=Thin-Edge, OU=t398942, CN=demo-device-007
Issuer: C=DE, O=Software AG, CN=QA Thin-Edge CA G1
Valid from: Tue, 09 Nov 2021 14:38:41 +0000
Valid up to: Sat, 09 Nov 2024 14:38:41 +0000
Thumbprint: 1E0F9A074E6FE67A43EE948335E42EB729CB3974

Cloud tenant setting

The last point is to make the cloud tenant trust the device certificate. For that the certificate of the issuer - .i.e. "QA Thin-Edge CA G1" in the example case, must be added to the list of trusted signing certificate.

This process is cloud dependent. See the respective documentation of the cloud you're trying to connect to for details on how to add a new signing certificate:

• Cumulocity IoT: Managing trusted certificates
• Understand how Azure IoT Edge uses certificates
• AWS IoT: X.509 client certificates

note

The command tedge cert upload is of no help here.

Indeed, the device does not have a copy of the signing certificate of the CA. This certificate is given by the CA to the tenant owner or the device operator in the context of the signing process.