Connect to AVNET iotconnect.io with Node-RED - part 8a: safer connect with Self Signed Certificates

9 Apr 2021

AVNET's iotconnect.io cloud platform is an online service that you can use to send data to, and then show it on a dashboard. In this blog series I'm learning how to talk to it with Node-RED.

In this post: authentication with a Self Signed Certificate.

This is a good step forward in the safety, but not as good as proper CA certificates. That will be covered in a next post.

Scenario:

I want to improve authentication safety.

In all the previous posts, I used the customer id (CPID) and device unique ID.

Now I'll use additional verification: certificates.

They are self-signed, generated by the AVNET IoTConnect server.

In node-red, I'll use these certificates when making the connection. They must be valid and have to match the ones linked to the device.

Steps:

Generate an IoTConnect template with security option: Self Signed.

Generate a new Device, and link it to that template. The server will generate the certificates for us at that point.

Save the 3 components that are needed, as text files:

root certificate,
device certificate and
device private key,

Create a Node-RED flow to test this, and try.

The complexity of this scenario is low. Everything is prepared for you.

Create Template with Self Signed Certificate authentication

Save, Then add at least one attribute. I've been using Temperature in all the previous posts. I'll stick to it.

Save. You now have a minimal working template set up for self signed certificate authentication.

Create Device and Get the Certificates

You can now create a device, using that template.

Because the template is set up for self signed certificate authentication, the portal will create the certificates chain and keys now.

Don't forget to click on the certificate icon and get all the info. This is the only chance.

The system asks you to generate a password for the certificates.

Enter one, press Generate.

A pop-up shows with all the info needed to connect.

This is linked to your device on the cloud. You have to use this certificate collection to log on from Node-RED, or the connection will fail (and that is good).

You end up with 3 files:

client.key (key),
client.pem (cert),
CA.pem (root certificate)

They have to be available to Node-RED.

I placed those on the client that's running Node-RED ('"the device", an AVNET Smartedge IIOTGateway):

/home/avnet/.iotconnect/.selfsigned/client.key

/home/avnet/.iotconnect/.selfsigned/client.pem

/home/avnet/.iotconnect/.selfsigned/CA.pem

Then I copied my existing Node-RED flow from the previous posts, and replaced the Unique ID in the injection and IoTConnec nodes with the unique ID of our device here:

If you want to see the Thumbprint later and didn't store it: no worries. You can retrieve it from the certificate:

openssl x509 -fingerprint -in client.pem

Refer to this post for the correct ACK handling.

Deploy and enjoy.

Refer to this post for the correct ACK handling.

The connection is successful when the IotConnec node shows "connected" under its icon.

Here's the result of sending a temperature.

This is a good step from the previous authentication. More to follow.

The Python SDK with On Semiconductor RSL10 BLE article series	Industry
part 1: overview and goal
part 2: WiFi Provisioning
part 3: Adding a Module (RSL10)
part 4: Talk BLE to the On Semi RSL10 Sensor Kit
part 5: A Cloud User Experience Example
part 6: Register as a Gateway Device
part 7: Register a Gateway and Client Devices
The NODE-Red SDK article series	Industry
part 1: overview and goal
register a Thing and connect to IoTConnect.io cloud
part 2: create an account and log on to the portal
part 3: set up the thing and its interface in the cloud
part 4: set up Node-RED and first exchange
interact with IoTConnect.io cloud
part 5: online dashboard
part 6: rules and alerts
part 7: messages and commands from the cloud
safer connections with certificates
part 8a: safer connect with Self Signed Certificates
part 8b: safer connect with CA certificates	Y
commercial and industrial scale: outsource certificate generation and programming to subcontractors and suppliers
part 9a: Outsource Certificate Signing in IIoT Supply Chain	Y
part 9b: IIoT supply chain and Certificates - Create Ca Root certificate, Load to IoTConnect Cloud and Validate	Y
part 9c: IIoT supply chain and Certificates - Create an Intermediate CA Certificate for your Subcontractor	Y
part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your Device	Y
part 9e: IIoT supply chain and Certificates - Test!	Y
commercial and industrial scale: Trusted Platform Module (TPM) Authentication
part 10: Trusted Platform Module (TPM) Security	Y
Infineon SLx9670 Trusted Platform Module (TPM) for IoT Security	Y
The Automate Device Provisioning and Cloud Configuration article series	Industry
Automatic Provisioning with REST API	Y

Top Comments

Jan Cumps over 3 years ago in reply to Jan Cumps

Write-down of authentication with CA backed certificates: Connect to AVNET iotconnect.io with Node-RED - part 8b: safer connect with CA certificates
This article tries to make certificates understandable. Ping me if that isn't true.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Jan Cumps over 3 years ago in reply to Jan Cumps

I solved this.
the CN of the client certificate has to be "CPID-UNIQUEID" it seems ...

It works, so that makes me happy.
What I'm not yet sure of if I am happy about: the CPID is private info.
If you execute this command on the public certificate:
openssl x509 -text -in e14cacert1_2.pem
it shows that attribute in readable format.

But I may be wrong and there is another reason why it started working ....
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel
Jan Cumps over 3 years ago
Initially, I intended to skip self signed certificates, and step directly to CA generated ones.
But I spent a day trying and didn't get a working connection.

You need 3 sets of artifacts:
- a root CA certificate-key pair
- a proof of ownership (validation) certificate generated by that root CA and its private key
- a client certificate-key pair, also generated by that root CA and its private key
I'm successful with step one and 2.
I can create a root certificate and its key, then upload it to the IoTConnect servers.
This generates a challenge token. You need to generate the validation certificate with the challenge as the certificate's common name. Then upload that to the server.
If that's successful, the CA certificate is accepted as a source for client certificates.

As you can see, I've been quite busy:

Certificate 2 and 3 are trials with OpenSSL on linux.
The first one is generated on Windows - following Azure's instructions (IoTConnect runs on Azure servers and stack).

Each time the results are the same: the validation certificate is OK. It marks the CA as verified on the server.
(I also did negative tests: un purpose gave wrong info in the verify certificate, to see if the validation is real. It is real).

But the client can't connect with the client certificate I generate:

I've entered a support request for IoTConnect support:

I am able to connect a device with the CPID/Unique ID combination, and with a Self Signed certificate
https://www.element14.com/community/community/applications/industrial-automation-space/blog/2021/04/09/connect-to-avnet-iotconnectio-with-node-red-part-8a-safer-connect-with-certificates

I am also able to generate and upload a CA certificate to the portal, then generate a validation certificate and validate the CA successfully.
However, when I create a CA template, then a device that uses that template and my verified CA, it fails to connect from Node-RED.

symptom:
Node shows as disconnected.
Node-RED log: Connection closed ::: DeviceId :: *********************-e14cacert1 :: 2021-04-09T15:19:39.818Z

I created the client certificate and key in a similar way as the verification certificate I used to proof that I own the CA certificate.
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel