Registering a Device Authenticated by an X.509 Certificate

An X.509 certificate is a digital certificate used for communication entity authentication. IoTDA allows devices to use their X.509 certificates for authentication. The use of X.509 certificate authentication protects devices from being spoofed.

Before registering a device authenticated by an X.509 certificate, upload the device CA certificate to the platform and bind the device certificate to the device during device registration. This topic describes how to upload a device CA certificate to the platform and register a device that uses the X.509 certificate for authentication.

Limitations

Only MQTT devices can use X.509 certificates for identity authentication.
You can upload a maximum of 100 device CA certificates.

Uploading a Device CA Certificate

Access the IoTDA service page and click Access Console.
In the left navigation pane, choose Devices > Device CA Certificates, and click Upload Certificate in the upper right corner.
In the displayed dialog box, click Add File to add a file, and then click Yes.

Device CA certificates are provided by device vendors. You can prepare a commissioning certificate during commissioning. For security reasons, you are advised to replace the commissioning certificate with a commercial certificate during commercial use. Purchased CA certificates (in formats such as PEM and JKS) can be directly uploaded to the platform.

Making a Device CA Commissioning Certificate

This section uses the Windows operating system as an example to describe how to use OpenSSL to make a commissioning certificate. The generated certificate is in PEM format.

Download and install OpenSSL.
Open the CLI as user admin.
Run cd c:\openssl\bin (replace c:\openssl\bin with the actual OpenSSL installation directory) to access the OpenSSL view.
Generate a public/private key pair.
```
openssl genrsa -out rootCA.key 2048
```
Use the private key in the key pair to generate a CA certificate.
```
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
```
The system prompts you to enter the following information. All the parameters can be customized.
- Country Name (2 letter code) [AU]: country, for example, CN
- State or Province Name (full name) []: state or province, for example, GD
- Locality Name (for example, city) []: city, for example, SZ
- Organization Name (for example, company) []: organization, for example, Huawei
- Organizational Unit Name (for example, section) []: organization unit, for example, IoT
- Common Name (e.g. server FQDN or YOUR name) []: common name, for example, zhangsan
- Email Address []: email address, for example, 1234567@163.com
Obtain the generated CA certificate rootCA.pem from the bin folder in the OpenSSL installation directory.

Uploading a Verification Certificate

If the uploaded certificate is a commissioning certificate, the certificate status is Unverified. In this case, upload a verification certificate to verify that you have the CA certificate.

Click to enlarge

The verification certificate is created based on the private key of the device CA certificate. Perform the following operations to create a verification certificate:

Generate a key pair for the verification certificate.
```
openssl genrsa -out verificationCert.key 2048
```
Create a certificate signing request (CSR) for the verification certificate.
```
openssl req -new -key verificationCert.key -out verificationCert.csr
```
The system prompts you to enter the following information. Set Common Name to the verification code and set other parameters as required.
- Country Name (2 letter code) [AU]: country, for example, CN
- State or Province Name (full name) []: state or province, for example, GD
- Locality Name (for example, city) []: city, for example, SZ
- Organization Name (for example, company) []: organization, for example, Huawei
- Organizational Unit Name (for example, section) []: organization unit, for example, IoT
- Common Name (e.g. server FQDN or YOUR name) []: verification code for verifying the certificate. For details on how to obtain the verification code, see 5.
- Email Address []: email address, for example, 1234567@163.com
- Password[]: password, for example, 1234321
- Optional Company Name[]: company name, for example, Huawei
Use the CSR to create a verification certificate.
```
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
```
Obtain the generated verification certificate verificationCert.pem from the bin folder of the OpenSSL installation directory.
Select the corresponding certificate, click , and click Upload Verification Certificate.
In the displayed dialog box, click Add File to add a file, and then click Yes.

After the verification certificate is uploaded, the certificate status changes to Verified, indicating that you have the CA certificate.

Presetting an X.509 Certificate

Before registering an X.509 device, preset the X.509 certificate issued by the CA on the device.

The X.509 certificate is issued by the CA. If no commercial certificate issued by the CA is available, you can create an X.509 commissioning certificate. Purchased certificates or certificates (in formats such as PEM and JKS) issued by authoritative organizations can be directly uploaded to the platform.

Creating an X.509 Commissioning Certificate

Run cmd as user admin to open the CLI and run cd c:\openssl\bin (replace c:\openssl\bin with the actual OpenSSL installation directory) to access the OpenSSL view.
Generate a public/private key pair.
```
openssl genrsa -out deviceCert.key 2048
```
Create a CSR.
```
openssl req -new -key deviceCert.key -out deviceCert.csr
```
The system prompts you to enter the following information. All the parameters can be customized.
- Country Name (2 letter code) [AU]: country, for example, CN
- State or Province Name (full name) []: state or province, for example, GD
- Locality Name (for example, city) []: city, for example, SZ
- Organization Name (for example, company) []: organization, for example, Huawei
- Organizational Unit Name (for example, section) []: organization unit, for example, IoT
- Common Name (e.g. server FQDN or YOUR name) []: common name, for example, zhangsan
- Email Address []: email address, for example, 1234567@163.com
- Password[]: password, for example, 1234321
- Optional Company Name[]: company name, for example, Huawei
Create a device certificate using CSR.
```
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256
```
Obtain the generated device certificate deviceCert.pem from the bin folder in the OpenSSL installation directory.

Registering a Device Authenticated by an X.509 Certificate

Access the IoTDA service page and click Access Console.

In the navigation pane, choose Devices > All Devices, click Individual Register in the upper right corner, set parameters based on the table below, and click OK.

Click to enlarge

Parameter	Description
Resource Space	Select the resource space to which a device belongs.
Product	Select the product to which the device belongs. You can select a product only after it is defined. If no product is available, create a product by following the instructions provided in Products.
Node ID	Set this parameter to the IMEI, MAC address, or serial number of the device. If the device is not a physical one, set this parameter to a custom character string that contains letters and digits.
Device Name	Customize the device name.
Authentication Type	X.509 certificate: The device uses an X.509 certificate for identity verification.
Fingerprint	This parameter is displayed when Authentication Type is set to X.509 certificate. Import the fingerprint corresponding to the preset device certificate on the device side. You can run openssl x509 -fingerprint -sha256 -in deviceCert.pem in the OpenSSL view to query the fingerprint. Note: Delete the colon (:) from the obtained fingerprint when filling it.