Skip to content

PKI

This section is going further and demonstrates how a custom Certificate Authority (CA) can be used to securely connect devices to a Connectivity Plarform Connector product.

Configuration

  1. Navigate to the Connector solution page under the Settings tab.

  2. In the Provisioning section, enable the Self-Provisioning feature.

  3. In the Authentication select the TLS Client Certificate authentication method and enable Public Key Infrastructure(PKI).

  4. Under the Public Key Infrastructure(PKI) window, click ADD button, that is where you have to paste your Client CA Certificate in PEM format.
    Here is an example to create a Client CA: 

    openssl req -x509 -nodes -days 365 -sha256 -subj /C=US/ST=MN/L=Mpls/O=westpharma/CN=<The-domain-of-connector> -newkey rsa:2048 -keyout <Key-name>-key.pem -out <Cert-name>-cert.pem

  5. After pasting the Client CA into the certificate editor, click the DECODE button to verify that the information is correct. Once confirmed, click SUBMIT to proceed.
    Please don't forget to click the SAVE button to commit your changes to your solution's settings.

Your connector authentication setup is now complete.

Note
  1. Users can add multiple Client CAs by clicking the 'ADD' button.
  2. After enabling the PKI feature, all device certificates must be signed by a valid Client CA. Otherwise, they cannot be used for device connections or data publishing.

Connecting Device

In the previous section, please don’t forget to enable the Self-Provisioning feature. With this enabled, there’s no need to explicitly whitelist a device for provisioning. The device can simply connect to the Connectivity Platform using its device certificate. The platform will automatically save the device’s identity (Common Name extracted from the certificate) and the certificate itself for future authentication.

Additionally, devices using TLS Client Certificate authentication do not need to explicitly call the activate endpoint to get provisioned. Instead, they can begin sending data upon their first connection.

For the --cert option, use the device certificate (signed by the configured Client CA).
For the --key option, use the corresponding private key.

Here’s an example of how to generate a device certificate signed by the configured Client CA: 

openssl req -new -nodes -days 365 -sha256 -subj /C=US/ST=MN/L=Mpls/O=westpharma/CN=<Device-name> -newkey rsa:2048 -keyout <Device-name>-key.pem -out <Device-name>.csr

openssl x509 -req -in <Device-name>.csr -CA <Cert-name>-cert.pem -CAkey <Key-name>-key.pem -CAcreateserial -out <Device-name>.pem -days 365
The <Cert-name>-cert.pem and <Key-name>-key.pem which are generated here

You can use the following example to provision a device and publish data to the Connectivity Platform: 

curl -v \
  -X POST https://<The-domain-of-connector>/api:v1/stack/alias \
  --cert ./<Device-name>.pem \
  --key ./<Device-name>-key.pem \
  -d temperature=50

This command provisions the device and writes the value 50 with the resource "temperature". The Connectivity Platform verifies that the provided certificate was signed by the configured Client CA.

When you run the same command again, the Connectivity Platform will use the device certificate to identify the device (by extracting the Common Name) and authenticate it (by verifying that the certificate was issued by the configured Client CA and is associated with the device in the platform’s database).