...
Self-signed CA certificates
...
Generate a self-signed CA certificate
...
1. Create a CA private key. It will be uniquely associated with the CA certificate. You can generate a 2048-bit RSA private key with this command:
| Code Block |
|---|
openssl genpkey -algorithm RSA -out ca_private.pem -pkeyopt rsa_keygen_bits:2048 |
2. Generate the self-signed CA certificate. This command generates an RS256 certificate that meets the CA certificate requirements:
| Code Block |
|---|
openssl req -x509 -new -nodes -key ca_private.pem -sha256 -out ca_cert.pem -subj "/CN=unused" |
See Generating an RSA key with a self-signed X.509 certificate or Generating an ES256 key with a self-signed X.509 certificate for more examples.
...
To get a CA certificate from a trusted third party, submit a CSR to the CA. The CA then sends you a CA certificate with the corresponding device public key certificate, signed by the CA private key. To get
Get third-party CA certificates
...
1. Create a device private key. You can generate a 2048-bit RSA private key with this command:
| Code Block |
|---|
openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048 |
2. Create a CSR from the device private key. The CSR keeps the private key secret. This command generates a CSR with an SHA-256 signature:
| Code Block |
|---|
openssl req -new -sha256 -key rsa_private.pem -out rsa_cert.csr -subj "/CN=unused" |
3. Send the CSR to a CA and apply for a certificate. Each CA has a different application process. For instance, you may need to register an account with the CA and upload the CSR to an online portal.
CA certificate requirements
...
Once you have CA certificates, add them to a registry. ClearBlade IoT Core verifies CA certificates at the registry level, so all CA certificates must be associated with a registry. A certificate can be added to multiple registries.
Console
1. Go to the Registries page.
2. At the top of the page, click Create Registry.
3. Click Add CA certificate to type/paste a certificate or upload a certificate .pem file. You can add only one certificate when creating the registry, but you can add more certificates later (up to 10).
The Device registry details page includes a Certificates tab that shows the existing certificates and allows you to add more.
...
ClearBlade IoT Core verifies device public key certificates against registry-level CA certificates when you create a device or modify its public keys.
Console
1. Go to the Registries page.
2. Click the device’s registry ID.
3. In the left registry menu, click Devices.
4. Click Create a device.
To modify a device's public keys, click the device's ID on the Devices page and click Edit device at the top.
5. Enter a device ID that describes the device or helps you identify it (this field can't be edited later).
6. For Device communication, select Allow or Block. The latter allows you to block communication when needed, such as when a device malfunctions. You'll most likely want to enable communication when creating the device.
7. For Public key format, select RS256_X509 or ES256_X509. Paste the device public key certificate in the Public key value field. You can also set the key’s expiration date.
To add a key to an existing device, click Add public key on the Device details page.
To remove a key from an existing device
...
, check the box next to the key on the Device details page
...
and click Delete to remove
...
it.
To edit a key, click the Edit icon next to the key on the Device details page.
8. Select the input method you want to use to enter the device public key certificate.
Manual: Copy and paste the device public key certificate into the Public key value field.
Upload: In the Public key value field, click Browse to select a file on your device.
9. Use the Key and Value fields to add optional device metadata, such as a serial number.
10. Select a Cloud Logging level to determine which device events are sent to Cloud Logging.
11. Click Submit to create the device.
API
Use these methods to create devices or modify public keys:
...