Versions Compared

Old Version 27

changes.mady.by.user Jeff Slavin (Unlicensed)

Saved on

compared with

New Version 28

changes.mady.by.user Jeff Slavin (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To generate a self-signed CA certificate (and corresponding CA private key), complete the following these steps:

  1. Create a CA private key. It will be uniquely associated with the CA certificate. You can generate a 2048-bit RSA private key with the following this command:

    Code Block
    openssl genpkey -algorithm RSA -out ca_private.pem -pkeyopt rsa_keygen_bits:2048

  2. Generate the self-signed CA certificate. The following This command generates an RS256 certificate that meets the CA certificate requirements:

    Code Block
    openssl req -x509 -new -nodes -key ca_private.pem -sha256 -out ca_cert.pem -subj "/CN=unused"

...

  1. Create a device private key. You can generate a 2048-bit RSA private key with the following this command:

    Code Block
    openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048

  2. Create a CSR from the device private key. The CSR keeps the private key secret. The following This command generates a CSR with an SHA-256 signature:

    Code Block
    openssl req -new -sha256 -key rsa_private.pem -out rsa_cert.csr -subj "/CN=unused"

  3. Send the CSR to a CA and apply for a certificate. Each CA has a different application process. For instance, you may need to register an account with the CA and upload the CSR to an online portal.

...

All registry-level CA certificates must meet the following these requirements:

  • The CA certificate must be in the X.509v3 (RFC 5280) format, encoded in base64, and wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

  • The CA certificate must be a .pem file encrypted with a supported algorithm:

    • RSA with at least 2048 bits

    • NIST P-256

  • The CA certificate must be valid. If you try to add a device to a registry and the certificate has expired, ClearBlade IoT Core returns an error.

...

  • If the registry is configured with a self-signed CA certificate, sign a public key with the CA private key.

    1. Create a device private key. This key is different than the CA certificate and CA private key. You can generate a 2048-bit RSA private key with the following this command:

      Code Block
      openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048

    2. Create a CSR from the device private key. The following This command generates a CSR with an SHA-256 signature:

      Code Block
      openssl req -new -sha256 -key rsa_private.pem -out rsa_cert.csr -subj "/CN=unused-device"

    3. Create a public key and sign it with the CA private key. The following This command generates a signed RS256 certificate that meets the public key certificate requirements:

      Code Block
      openssl x509 -req -in rsa_cert.csr -CA ca_cert.pem -CAkey ca_private.pem \
    -CAcreateserial -sha256 -out rsa_cert.pem

  • If a registry is configured with a third-party CA certificate, the CA certificate contains a device public key certificate signed by the CA private key. You can extract an RSA device public key certificate from an RSA CA certificate with the following this command:

    Code Block
    openssl rsa -in ca_cert.pem -pubout -out rsa_cert.pem

...

Device public key certificates must meet the following these requirements (in addition to the standard ClearBlade IoT Core requirements for device credentials) to verify them against registry-level CA certificates:

...

  1. Go to the Registries page.

  2. Click the device’s registry ID.

  3. In the left registry menu, click Devices.

  4. Click Create a device.

    To modify a device's public keys, click the device's ID on the Devices page and click Edit device at the top.

  5. Enter a device ID that describes the device or helps you identify it (this field can't be edited later).

  6. For Device communication, select Allow or Block. The latter allows you to block communication when needed, such as when a device malfunctions. You'll most likely want to enable communication when creating the device.

  7. For Public key format, select RS256_X509 or ES256_X509. Paste the device public key certificate in the Public key value field. You can also set the key’s expiration date.

    To add a key to an existing device, click Add public key on the Device details page.

    To remove a key from an existing device:

    1. Check the box next to the key on the Device details page.

    2. Click Delete to remove the key.

    To edit a key, click the Edit icon next to the key on the Device details page.

  8. Select the input method you want to use to enter the device public key certificate.

    • Manual: Copy and paste the device public key certificate into the Public key value field.

    • Upload: In the Public key value field, click Browse to select a file on your device.

  9. Use the Key and Value fields to add optional device metadata, such as a serial number.

  10. Select a Cloud Logging level to determine which device events are sent to Cloud Logging.

  11. Click Create to create the device.

API:

Use the following these methods to create devices or modify public keys:

...