Versions Compared

Old Version 33

changes.mady.by.user Jeff Slavin (Unlicensed)

Saved on

compared with

New Version 34

changes.mady.by.user Jeff Slavin (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ClearBlade IoT Core can verify device public key certificates against self-signed CA certificates and CA certificates generated by a trusted third party. Both CA certificates are used the same way but are generated differently.

...

  1. Create a CA private key. It will be uniquely associated with the CA certificate. You can generate a 2048-bit RSA private key with this command:

    Code Block
    openssl genpkey -algorithm RSA -out ca_private.pem -pkeyopt rsa_keygen_bits:2048

  2. Generate the self-signed CA certificate. This command generates an RS256 certificate that meets the CA certificate requirements:

    Code Block
    openssl req -x509 -new -nodes -key ca_private.pem -sha256 -out ca_cert.pem -subj "/CN=unused"

...

Adding CA certificates to a registry

Once you have CA certificates, add them to a registry. ClearBlade IoT Core verifies CA certificates at the registry level, so all CA certificates must be associated with a registry. A certificate can be added to multiple registries.

...

  • If the registry is configured with a self-signed CA certificate, sign a public key with the CA private key.

    1. Create a device private key. This key is different than the CA certificate and CA private key. You can generate a 2048-bit RSA private key with this command:

      Code Block
      openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048

    2. Create a CSR from the device private key. This command generates a CSR with an SHA-256 signature:

      Code Block
      openssl req -new -sha256 -key rsa_private.pem -out rsa_cert.csr -subj "/CN=unused-device"

    3. Create a public key and sign it with the CA private key. This command generates a signed RS256 certificate that meets the public key certificate requirements:

      Code Block
      openssl x509 -req -in rsa_cert.csr -CA ca_cert.pem -CAkey ca_private.pem \
    -CAcreateserial -sha256 -out rsa_cert.pem

  • If a registry is configured with a third-party CA certificate, the CA certificate contains a device public key certificate signed by the CA private key. You can extract an RSA device public key certificate from an RSA CA certificate with this command:

    Code Block
    openssl rsa -in ca_cert.pem -pubout -out rsa_cert.pem

...