ClearBlade IoT Core offers per-device public/private key authentication using JSON Web Tokens (JWTs). ClearBlade IoT Core can verify device public key certificates against registry-level CA certificates for additional security.
...
Create a CA private key. It will be uniquely associated with the CA certificate. You can generate a 2048-bit RSA private key with this command:
Code Block openssl genpkey -algorithm RSA -out ca_private.pem -pkeyopt rsa_keygen_bits:2048
Generate the self-signed CA certificate. This command generates an RS256 certificate that meets the CA certificate requirements:
Code Block openssl req -x509 -new -nodes -key ca_private.pem -sha256 -out ca_cert.pem -subj "/CN=unused"
See Generating an RSA key with a self-signed X.509 certificate or Generating an ES256 key with a self-signed X.509 certificate for more examples.
Third-party CA certificates
...
Up to 10 credentials (RegistryCredential objects) can be defined for device credential verification.
Each RegistryCredential object encompasses a PublicKeyCertificate object you can use to specify certificate data. An output-only field provides X.509 certificate details.
...
Device public key certificates must meet these requirements (in addition to the standard ClearBlade IoT Core requirements for device credentials) to verify them against registry-level CA certificates:
The CA certificate must be in the X.509v3 (RFC 5280) format, encoded in base64, and wrapped in
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----.A specific CA certificate must sign the device public key certificate at the registry level; intermediary CAs are not supported.
The device public key certificate must not be identical to the registry-level certificate.
No raw public keys.
Supported JWT algorithms:
The device public key certificate must be valid. If you try to create or update a device with an expired certificate, ClearBlade IoT Core returns an error.
...
Go to the Registries page.
Click the device’s registry ID.
In the left registry menu, click Devices.
Click Create a device.
To modify a device's public keys, click the device's ID on the Devices page and click Edit device at the top.
Enter a device ID that describes the device or helps you identify it (this field can't be edited later).
For Device communication, select Allow or Block. The latter allows you to block communication when needed, such as when a device malfunctions. You'll most likely want to enable communication when creating the device.
For Public key format, select RS256_X509 or ES256_X509. Paste the device public key certificate in the Public key value field. You can also set the key’s expiration date.
To add a key to an existing device, click Add public key on the Device details page.
To remove a key from an existing device:
Check the box next to the key on the Device details page.
Click Delete to remove the key.
To edit a key, click the Edit icon next to the key on the Device details page.
Select the input method you want to use to enter the device public key certificate.
Manual: Copy and paste the device public key certificate into the Public key value field.
Upload: In the Public key value field, click Browse to select a file on your device.
Use the Key and Value fields to add optional device metadata, such as a serial number.
Select a Cloud Logging level to determine which device events are sent to Cloud Logging.
Click Submit to create the device.
...
Public keys are specified in the Device resource’s credentials field in the ClearBlade IoT Core API. See DeviceCredential for more information.
Because one or more registry-level certificates are present, the Device resource must meet the device certificate requirements.
...