Registering a Device Authenticated by an X.509 Certificate
An X.509 certificate is a digital certificate used for communication entity authentication. IoTDA allows devices to use their X.509 certificates for authentication. The use of X.509 certificate authentication protects devices from being spoofed.
Before registering a device authenticated by an X.509 certificate, upload the device CA certificate to the platform and bind the device certificate to the device during device registration. This topic describes how to upload a device CA certificate to the platform and register a device that uses the X.509 certificate for authentication.
Constraints
- Only MQTT devices can use X.509 certificates for identity authentication.
- You can upload a maximum of 100 device CA certificates.
Uploading a Device CA Certificate
- Access the IoTDA service page and click Access Console. Click the target instance card.
- In the navigation pane, choose Devices > Device Certificates. On the Device CA Certificates tab page, click Upload Certificate.
- In the displayed dialog box, click Select File to add a file, and then click OK.
Figure 1 Device CA certificate - Uploading a certificate
Device CA certificates are provided by device vendors. You can prepare a commissioning certificate during commissioning. For security reasons, you are advised to replace the commissioning certificate with a commercial certificate during commercial use. Purchased CA certificates (in formats such as PEM and JKS) can be directly uploaded to the platform.
Making a Device CA Commissioning Certificate
This section uses the Windows operating system as an example to describe how to use OpenSSL to make a commissioning certificate. The generated certificate is in PEM format.
- Download and install OpenSSL.
- Open the CLI as user admin.
- Run cd c:\openssl\bin (replace c:\openssl\bin with the actual OpenSSL installation directory) to access the OpenSSL view.
- Generate a public/private key pair.
openssl genrsa -out rootCA.key 2048
- Use the private key in the key pair to generate a CA certificate.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
The system prompts you to enter the following information. All the parameters can be customized.
-
State or Province Name (full name) []: state or province, for example, GD
-
Organization Name (for example, company) []: organization, for example, Huawei
-
Organizational Unit Name (for example, section) []: organization unit, for example, IoT
-
Common Name (e.g. server FQDN or YOUR name) []: common name, for example, zhangsan
-
Email Address []: email address, for example, 1234567@163.com
Obtain the generated CA certificate rootCA.pem from the bin folder in the OpenSSL installation directory.
Uploading a Verification Certificate
If the uploaded certificate is a commissioning certificate, the certificate status is Unverified. In this case, upload a verification certificate to verify that you have the CA certificate.
The verification certificate is created based on the private key of the device CA certificate. Perform the following operations to create a verification certificate:
- Generate a key pair for the verification certificate.
openssl genrsa -out verificationCert.key 2048
- Create a certificate signing request (CSR) for the verification certificate.
openssl req -new -key verificationCert.key -out verificationCert.csr
The system prompts you to enter the following information. Set Common Name to the verification code and set other parameters as required.
-
State or Province Name (full name) []: state or province, for example, GD
-
Organization Name (for example, company) []: organization, for example, Huawei
-
Organizational Unit Name (for example, section) []: organization unit, for example, IoT
-
Common Name (e.g. server FQDN or YOUR name) []: verification code for verifying the certificate. For details on how to obtain the verification code, see 5.
-
Email Address []: email address, for example, 1234567@163.com
- Password[]: password, for example, 1234321
- Optional Company Name[]: company name, for example, Huawei
- Use the CSR to create a verification certificate.
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
Obtain the generated verification certificate verificationCert.pem from the bin folder of the OpenSSL installation directory.
- Select the corresponding certificate, click , and click Upload Verification Certificate.
Figure 3 Device CA certificate - Verifying a certificate
- In the displayed dialog box, click Select File to add a file, and then click OK.
Figure 4 Device CA certificate - Uploading a verified certificate
After the verification certificate is uploaded, the certificate status changes to Verified, indicating that you have the CA certificate.
Presetting an X.509 Certificate
Before registering an X.509 device, preset the X.509 certificate issued by the CA on the device.
The X.509 certificate is issued by the CA. If no commercial certificate issued by the CA is available, you can create an X.509 commissioning certificate. Purchased certificates or certificates (in formats such as PEM and JKS) issued by authoritative organizations can be directly uploaded to the platform.
Creating an X.509 Commissioning Certificate
- Run cmd as user admin to open the CLI and run cd c:\openssl\bin (replace c:\openssl\bin with the actual OpenSSL installation directory) to access the OpenSSL view.
- Generate a public/private key pair.
openssl genrsa -out deviceCert.key 2048
- Create a CSR for the device certificate.
openssl req -new -key deviceCert.key -out deviceCert.csr
The system prompts you to enter the following information. All the parameters can be customized.
-
State or Province Name (full name) []: state or province, for example, GD
-
Organization Name (for example, company) []: organization, for example, Huawei
-
Organizational Unit Name (for example, section) []: organization unit, for example, IoT
-
Common Name (e.g. server FQDN or YOUR name) []: common name, for example, zhangsan
-
Email Address []: email address, for example, 1234567@163.com
- Password[]: password, for example, 1234321
- Optional Company Name[]: company name, for example, Huawei
- Create a device certificate using CSR.
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256
Obtain the generated device certificate deviceCert.pem from the bin folder in the OpenSSL installation directory.
Registering a Device Authenticated by an X.509 Certificate
- Access the IoTDA service page and click Access Console. Click the target instance card.
- In the navigation pane, choose Register Device, set parameters based on the table below, and click OK.
, click Figure 5 Device - Registering an X.509 device
Table 1 Registering a device using X.509 certificate Parameter
Description
Resource Space
Select the resource space to which a device belongs.
Product
Select the product to which the device belongs.
You can select a product only after it is defined. If no product is available, create a product by following the instructions provided in Product Creation.
Node ID
Set this parameter to the IMEI, MAC address, or serial number of the device. If the device is not a physical one, set this parameter to a custom string that contains letters, digits, hyphens (-), and underscores (_).
Device ID
Enter a unique device ID. If this parameter is carried, the platform will use the parameter value as the device ID. Otherwise, the platform will allocate a device ID, which is in the format of product_id_node_id.
Device Name
Customize the device name.
Description
Customize device description.
Authentication Type
X.509 certificate: The device uses an X.509 certificate for identity verification.
Fingerprint
This parameter is displayed when Authentication Type is set to X.509 certificate. Import the fingerprint corresponding to the preset device certificate on the device side. You can run openssl x509 -fingerprint -sha256 -in deviceCert.pem in the OpenSSL view to query the fingerprint. Note: Delete the colon (:) from the obtained fingerprint when filling it.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot