element14 Community
element14 Community
    Register Log In
  • Site
  • Search
  • Log In Register
  • About Us
  • Community Hub
    Community Hub
    • What's New on element14
    • Feedback and Support
    • Benefits of Membership
    • Personal Blogs
    • Members Area
    • Achievement Levels
  • Learn
    Learn
    • Ask an Expert
    • eBooks
    • element14 presents
    • Learning Center
    • Tech Spotlight
    • STEM Academy
    • Webinars, Training and Events
    • Learning Groups
  • Technologies
    Technologies
    • 3D Printing
    • FPGA
    • Industrial Automation
    • Internet of Things
    • Power & Energy
    • Sensors
    • Technology Groups
  • Challenges & Projects
    Challenges & Projects
    • Design Challenges
    • element14 presents Projects
    • Project14
    • Arduino Projects
    • Raspberry Pi Projects
    • Project Groups
  • Products
    Products
    • Arduino
    • Avnet Boards Community
    • Dev Tools
    • Manufacturers
    • Multicomp Pro
    • Product Groups
    • Raspberry Pi
    • RoadTests & Reviews
  • Store
    Store
    • Visit Your Store
    • Choose another store...
      • Europe
      •  Austria (German)
      •  Belgium (Dutch, French)
      •  Bulgaria (Bulgarian)
      •  Czech Republic (Czech)
      •  Denmark (Danish)
      •  Estonia (Estonian)
      •  Finland (Finnish)
      •  France (French)
      •  Germany (German)
      •  Hungary (Hungarian)
      •  Ireland
      •  Israel
      •  Italy (Italian)
      •  Latvia (Latvian)
      •  
      •  Lithuania (Lithuanian)
      •  Netherlands (Dutch)
      •  Norway (Norwegian)
      •  Poland (Polish)
      •  Portugal (Portuguese)
      •  Romania (Romanian)
      •  Russia (Russian)
      •  Slovakia (Slovak)
      •  Slovenia (Slovenian)
      •  Spain (Spanish)
      •  Sweden (Swedish)
      •  Switzerland(German, French)
      •  Turkey (Turkish)
      •  United Kingdom
      • Asia Pacific
      •  Australia
      •  China
      •  Hong Kong
      •  India
      •  Korea (Korean)
      •  Malaysia
      •  New Zealand
      •  Philippines
      •  Singapore
      •  Taiwan
      •  Thailand (Thai)
      • Americas
      •  Brazil (Portuguese)
      •  Canada
      •  Mexico (Spanish)
      •  United States
      Can't find the country/region you're looking for? Visit our export site or find a local distributor.
  • Translate
  • Profile
  • Settings
Industrial Automation
  • Technologies
  • More
Industrial Automation
Blog Connect to AVNET iotconnect.io with Node-RED - part 8a: safer connect with Self Signed Certificates
  • Blog
  • Forum
  • Documents
  • Quiz
  • Events
  • Polls
  • Files
  • Members
  • Mentions
  • Sub-Groups
  • Tags
  • More
  • Cancel
  • New
Join Industrial Automation to participate - click to join for free!
  • Share
  • More
  • Cancel
Group Actions
  • Group RSS
  • More
  • Cancel
Engagement
  • Author Author: Jan Cumps
  • Date Created: 9 Apr 2021 2:59 PM Date Created
  • Views 806 views
  • Likes 4 likes
  • Comments 3 comments
  • iotconnect
  • avnet
  • smartedge
  • node_red
  • certificate
  • cloud
  • authentication
Related
Recommended

Connect to AVNET iotconnect.io with Node-RED - part 8a: safer connect with Self Signed Certificates

Jan Cumps
Jan Cumps
9 Apr 2021

AVNET's iotconnect.io cloud platform is an online service that you can use to send data to, and then show it on a dashboard. In this blog series I'm learning how to talk to it with Node-RED.

In this post: authentication with a Self Signed Certificate.

image

This is a good step forward in the safety, but not as good as proper CA certificates. That will be covered in a next post.

 

Scenario:

 

I want to improve authentication safety.

In all the previous posts, I used the customer id (CPID) and device unique ID.

Now I'll use additional verification: certificates.

They are self-signed, generated by the AVNET IoTConnect server.

In node-red, I'll use these certificates when making the connection. They must be valid and have to match the ones linked to the device.

 

 

Steps:

 

Generate an IoTConnect template with security option: Self Signed.

Generate a new Device, and link it to that template. The server will generate the certificates for us at that point.

Save the 3 components that are needed, as text files:

  • root certificate,
  • device certificate and
  • device private key,

Create a Node-RED flow to test this, and try.

 

The complexity of this scenario is low. Everything is prepared for you.

 

Create Template with Self Signed Certificate authentication

 

 

image

 

Save, Then add at least one attribute. I've been using Temperature in all the previous posts. I'll stick to it.

image

Save. You now have a minimal working template set up for self signed certificate authentication.

 

Create Device and Get the Certificates

 

You can now create a device, using that template.

Because the template is set up for self signed certificate authentication, the portal will create the certificates chain and keys now.

 

image

 

Don't forget to click on the certificate icon and get all the info. This is the only chance.

The system asks you to generate a password for the certificates.

image

Enter one, press Generate.

A pop-up shows with all the info needed to connect.

This is linked to your device on the cloud. You have to use this certificate collection to log on from Node-RED, or the connection will fail (and that is good).

image

 

You end up with 3 files:

  • client.key (key),
  • client.pem (cert),
  • CA.pem (root certificate)

 

They have to be available to Node-RED.

I placed those on the client that's running Node-RED ('"the device", an AVNET Smartedge IIOTGateway):

/home/avnet/.iotconnect/.selfsigned/client.key

/home/avnet/.iotconnect/.selfsigned/client.pem

/home/avnet/.iotconnect/.selfsigned/CA.pem

 

Then I copied my existing Node-RED flow from the previous posts, and replaced the Unique ID in the injection and IoTConnec nodes with the unique ID of our device here:

 

If you want to see the Thumbprint later and didn't store it: no worries. You can retrieve it from the certificate:

openssl x509 -fingerprint -in client.pem

 

 

image

Refer to this post for the correct ACK handling.

 

 

Deploy and enjoy.

 

image

Refer to this post for the correct ACK handling.

 

The connection is successful when the IotConnec node shows "connected" under its icon.

Here's the result of sending a temperature.

 

image

 

This is a good step from the previous authentication. More to follow.

 

 

The Python SDK with On Semiconductor RSL10 BLE article seriesIndustry
part 1: overview and goal
part 2: WiFi Provisioning
part 3: Adding a Module (RSL10)
part 4: Talk BLE to the On Semi RSL10 Sensor Kit
part 5: A Cloud User Experience Example
part 6: Register as a Gateway Device
part 7: Register a Gateway and Client Devices
The NODE-Red SDK article seriesIndustry
part 1: overview and goal
register a Thing and connect to IoTConnect.io cloud
part 2: create an account and log on to the portal
part 3: set up the thing and its interface in the cloud
part 4: set up Node-RED and first exchange
interact with IoTConnect.io cloud
part 5: online dashboard
part 6: rules and alerts
part 7: messages and commands from the cloud
safer connections with certificates
part 8a: safer connect with Self Signed Certificates
part 8b: safer connect with CA certificatesY
commercial and industrial scale: outsource certificate generation and programming to subcontractors and suppliers
part 9a: Outsource Certificate Signing in IIoT Supply ChainY
part 9b: IIoT supply chain and Certificates - Create Ca Root certificate, Load to IoTConnect Cloud and ValidateY
part 9c: IIoT supply chain and Certificates - Create an Intermediate CA Certificate for your SubcontractorY
part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your DeviceY
part 9e: IIoT supply chain and Certificates - Test!Y
commercial and industrial scale: Trusted Platform Module (TPM) Authentication
part 10: Trusted Platform Module (TPM) SecurityY
Infineon SLx9670 Trusted Platform Module (TPM) for IoT SecurityY
The Automate Device Provisioning and Cloud Configuration article seriesIndustry
Automatic Provisioning with REST APIY
  • Sign in to reply

Top Comments

  • Jan Cumps
    Jan Cumps over 4 years ago +1
    Initially, I intended to skip self signed certificates, and step directly to CA generated ones. But I spent a day trying and didn't get a working connection. You need 3 sets of artifacts: a root CA certificate…
  • Jan Cumps
    Jan Cumps over 4 years ago in reply to Jan Cumps +1
    I solved this. the CN of the client certificate has to be "CPID-UNIQUEID" it seems ... It works, so that makes me happy. What I'm not yet sure of if I am happy about: the CPID is private info. If you execute…
  • Jan Cumps
    Jan Cumps over 4 years ago in reply to Jan Cumps

    Write-down of authentication with CA backed certificates: Connect to AVNET iotconnect.io with Node-RED - part 8b: safer connect with CA certificates

    This article tries to make certificates understandable. Ping me if that isn't true.

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 4 years ago in reply to Jan Cumps

    I solved this.

    the CN of the client certificate has to be "CPID-UNIQUEID" it seems ...

     

     

    image

     

    It works, so that makes me happy.

    What I'm not yet sure of if I am happy about: the CPID is private info.

    If you execute this command on the public certificate:

    openssl x509 -text -in  e14cacert1_2.pem

    it shows that attribute in readable format.

     

    But I may be wrong and there is another reason why it started working ....

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 4 years ago

    Initially, I intended to skip self signed certificates, and step directly to CA generated ones.

    But I spent a day trying and didn't get a working connection.

     

    You need 3 sets of artifacts:

    • a root CA certificate-key pair
    • a proof of ownership (validation) certificate generated by that root CA and its private key
    • a client certificate-key pair, also generated by that root CA and its private key

     

    I'm successful with step one and 2.

    I can create a root certificate and its key, then upload it to the IoTConnect servers.

    This generates a challenge token. You need to generate the validation certificate with the challenge as the certificate's common name. Then upload that to the server.

    If that's successful, the CA certificate is accepted as a source for client certificates.

     

    As you can see, I've been quite busy:

     

    image

     

    Certificate 2 and 3 are trials with OpenSSL on linux.

    The first one is generated on Windows - following Azure's instructions (IoTConnect runs on Azure servers and stack).

     

    Each time the results are the same: the validation certificate is OK. It marks the CA as verified on the server.

    (I also did negative tests: un purpose gave wrong info in the verify certificate, to see if the validation is real. It is real).

     

    But the client can't connect with the client certificate I generate:

    image

     

    I've entered a support request for IoTConnect support:

     

    I am able to connect a device with the CPID/Unique ID combination, and with a Self Signed certificate

    https://www.element14.com/community/community/applications/industrial-automation-space/blog/2021/04/09/connect-to-avnet-iotconnectio-with-node-red-part-8a-safer-connect-with-certificates

     

    I am also able to generate and upload a CA certificate to the portal, then generate a validation certificate and validate the CA successfully.

    However, when I create a CA template, then a device that uses that template and my verified CA, it fails to connect from Node-RED.

     

    symptom:

    Node shows as disconnected.

    Node-RED log: Connection closed ::: DeviceId :: *********************-e14cacert1 :: 2021-04-09T15:19:39.818Z

     

    I created the client certificate and key in a similar way as the verification certificate I used to proof that I own the CA certificate.

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
element14 Community

element14 is the first online community specifically for engineers. Connect with your peers and get expert answers to your questions.

  • Members
  • Learn
  • Technologies
  • Challenges & Projects
  • Products
  • Store
  • About Us
  • Feedback & Support
  • FAQs
  • Terms of Use
  • Privacy Policy
  • Legal and Copyright Notices
  • Sitemap
  • Cookies

An Avnet Company © 2025 Premier Farnell Limited. All Rights Reserved.

Premier Farnell Ltd, registered in England and Wales (no 00876412), registered office: Farnell House, Forge Lane, Leeds LS12 2NE.

ICP 备案号 10220084.

Follow element14

  • X
  • Facebook
  • linkedin
  • YouTube