element14 Community
element14 Community
    Register Log In
  • Site
  • Search
  • Log In Register
  • About Us
  • Community Hub
    Community Hub
    • What's New on element14
    • Feedback and Support
    • Benefits of Membership
    • Personal Blogs
    • Members Area
    • Achievement Levels
  • Learn
    Learn
    • Ask an Expert
    • eBooks
    • element14 presents
    • Learning Center
    • Tech Spotlight
    • STEM Academy
    • Webinars, Training and Events
    • Learning Groups
  • Technologies
    Technologies
    • 3D Printing
    • FPGA
    • Industrial Automation
    • Internet of Things
    • Power & Energy
    • Sensors
    • Technology Groups
  • Challenges & Projects
    Challenges & Projects
    • Design Challenges
    • element14 presents Projects
    • Project14
    • Arduino Projects
    • Raspberry Pi Projects
    • Project Groups
  • Products
    Products
    • Arduino
    • Avnet Boards Community
    • Dev Tools
    • Manufacturers
    • Multicomp Pro
    • Product Groups
    • Raspberry Pi
    • RoadTests & Reviews
  • Store
    Store
    • Visit Your Store
    • Choose another store...
      • Europe
      •  Austria (German)
      •  Belgium (Dutch, French)
      •  Bulgaria (Bulgarian)
      •  Czech Republic (Czech)
      •  Denmark (Danish)
      •  Estonia (Estonian)
      •  Finland (Finnish)
      •  France (French)
      •  Germany (German)
      •  Hungary (Hungarian)
      •  Ireland
      •  Israel
      •  Italy (Italian)
      •  Latvia (Latvian)
      •  
      •  Lithuania (Lithuanian)
      •  Netherlands (Dutch)
      •  Norway (Norwegian)
      •  Poland (Polish)
      •  Portugal (Portuguese)
      •  Romania (Romanian)
      •  Russia (Russian)
      •  Slovakia (Slovak)
      •  Slovenia (Slovenian)
      •  Spain (Spanish)
      •  Sweden (Swedish)
      •  Switzerland(German, French)
      •  Turkey (Turkish)
      •  United Kingdom
      • Asia Pacific
      •  Australia
      •  China
      •  Hong Kong
      •  India
      •  Korea (Korean)
      •  Malaysia
      •  New Zealand
      •  Philippines
      •  Singapore
      •  Taiwan
      •  Thailand (Thai)
      • Americas
      •  Brazil (Portuguese)
      •  Canada
      •  Mexico (Spanish)
      •  United States
      Can't find the country/region you're looking for? Visit our export site or find a local distributor.
  • Translate
  • Profile
  • Settings
Industrial Automation
  • Technologies
  • More
Industrial Automation
Blog Connect to AVNET iotconnect.io with Node-RED - part 8b: safer connect with CA certificates
  • Blog
  • Forum
  • Documents
  • Quiz
  • Events
  • Polls
  • Files
  • Members
  • Mentions
  • Sub-Groups
  • Tags
  • More
  • Cancel
  • New
Join Industrial Automation to participate - click to join for free!
  • Share
  • More
  • Cancel
Group Actions
  • Group RSS
  • More
  • Cancel
Engagement
  • Author Author: Jan Cumps
  • Date Created: 10 Apr 2021 12:25 AM Date Created
  • Views 944 views
  • Likes 2 likes
  • Comments 2 comments
  • iotconnect
  • avnet
  • smartedge
  • node_red
  • cloud
  • secure
  • openssl
  • iiotgateway
Related
Recommended

Connect to AVNET iotconnect.io with Node-RED - part 8b: safer connect with CA certificates

Jan Cumps
Jan Cumps
10 Apr 2021

AVNET's iotconnect.io cloud platform is an online service that you can use to send data to, and then show it on a dashboard. In this blog series I'm learning how to talk to it with Node-RED.

In this post: authentication with a CA generated certificate.

image

Refer to this post for the correct ACK handling.

This is a better step forward in the safety than the previous post, where we let the IoTConnect portal generate a self signed certificate. If you have proper key and certificate management processes, this is production class security.

 

This post has useful information about certificates. What is a Certification Authority Root certificate? How to generate it. How to generate client certificates. Building a chain of trust.

This is a practical implementation of a methodology that's used a lot. You can see it in operation here. And test it yourself at no cost.

 

 

What is a certification authority (CA)?

It's an organisation that can generate certificates. All certificates generated by that body can be traced back to it, and are validated by the CA's certificate.

In this article, you are the certification authority for your own certificates. You will generate the certificates and keys for your IoT devices.

Microsoft has a good explanation for using X.509 certificates in an IoT setting.

 

 

Create Root CA and Prove that You Control It

 

Like most "non-browser" solutions these days  that support certificate authorisation, you can be your own certification authority on IoTConnect.io.

The only requirement is that the server you are talking to recognises your root certificate as a Certification Authority (CA).

And you have to prove that. You will have to show IotConnect that you are the owner of the root certificate and its private key.

 

You can also use certificates you purchase for from a known certification authority. It does not add security, it adds trust.

In this case, it's you trusting yourself, so the value of using an external certification authority is not that big.

The story is different in other types of scenarios, where others have to trust you. In that case a certificate from one of the settled providers is an asset.

 

 

Generate the root CA certificate

 

This can be done on any device that has openSSL installed.

There is other software that can do this too. If you use another certification generator, post a blog with instructions for it.

 

mkdir ~/.iotconnect
cd ~/.iotconnect
mkdir .CA
cd .CA
openssl genrsa -des3 -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -sha256 -days 1825 -out CA.pem

 

I entered these attributes. None of them play a role in the certification chain. They are for identification:

 

Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brussels Capital District
Locality Name (eg, city) []:Schaarbeek
Organization Name (eg, company) [Internet Widgits Pty Ltd]:e14 review with certificates
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:e14 review with certificates
Email Address []:smartedge.element14@gmail.com

 

You need to provide a password. Take care to remember it. You 'll need it every time you generate certificates from this Certification Authority Root Certificate.

It's good practice to not share the password, nor the private keys generated in the activity here. Or in any activity you do with certificates. Make a habit of that.

Later in the process, whenever the command line asks to provide pass phrase for CA.key, this is the password you need to provide.

 

Load the CA root certificate to the IotConnect portal

 

The CA certificate will be used as a basis of trust by the IotConnect.io cloud services.

Any device that has a client certificate generated with this root certificate (and additionally is registered on IoTConnect and linked to this root certificate via its IotCOnnect Template) will be allowed to exchange data.

 

image

 

The certificate isn't trusted as a CA root when you upload it. It's merely stored.

More on the trust part later. Let's upload it first.

 

image

The not yet trusted certificate is on the server. I have to prove to the server that I have the password for this certificate (i.e.: it's mine).

You see that the status is "Pending":

image

 

Proof of Ownership

 

When I uploaded the CA root, the IoTConnect portal gave a challenge: a Verification code.

We need to show the service that we're able to generate a certificate from the CA root, where the certificate's common name (CN) is that verification code.

That's an exercise you can only complete if you have the CA root's password. I.e.: you own that certificate.

 

Let's generate that verification certificate. First the request:

 

openssl genrsa -out verify_ca.key 2048
openssl req -new -key verify_ca.key -out verify_ca.csr

 

This is a one-off certificate. Once the CA root is verified you can discard this.

You can neglect a number of parameters.

1589D3F9E31E82E3BA9B1CF78CD1F0DEC6A6FDEC736EB40C is the challenge verification code in my case.

You will get a different one when you upload your CA root certificate.

 

Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:1589D3F9E31E82E3BA9B1CF78CD1F0DEC6A6FDEC736EB40C
Email Address []:smartedge.element14@gmail.com

 

Then use the CA root to generate the verification cerificate:

 

openssl x509 -req -in verify_ca.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out verify_ca.crt -days 360
openssl x509 -in verify_ca.crt -out verify_ca.pem -outform PEM

 

Once generated, use it to verify the CA root on the portal:

 

image

 

Click the upload button at the right side of the table, select the verification certificate, then press Verify.

image

 

image

 

This is a first milestone. You are now a trusted certification authority for your organisation in IoTConnect.io.

All certificates you'll generate from now on will be trusted. Until the CA root certificate expires image.

 

Create a Template for CA authorised Devices, and a Device

 

You define the behaviour of a set of devices on IotConnect with a template.

One of its attributes is the way of authorisation.

 

Template

 

Let's create one for CA authorised devices:

 

image

 

Save, then create at least one attribute.

I'm staying consistent with the blog series and create a Temperature.

 

image

 

I try to explain all steps in my posts. But this one we've seen several times now. Please read the previous posts if this attribute declaration is a mistery.

Save again.

 

Device

 

Now register the Thing.

image

 

It uses the template that's just created. That means it will authenticate via certificate I'll generate, and can exchange Temperature.

 

Create a Client Certificate

 

Now it's time to create the client certificate and private key.

Both will be used by the Node-RED IotConnect node to log on, together with the original CA root certificate.

 

First the request:

 

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr

 

Feel free to provide or skip a number of attributes. The Common Name has to be <CPID-UniqueID>.

The unique ID is the one you just used when registering the device.

Your CPID (company ID) is available on the portal's Vault menu.

 

Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:<CPID>-e14noderedca
Email Address []:smartedge.element14@gmail.com

 

You'll do this regularly if you have a device farm. It's a good idea to script this.

Use the CA  to generate the certificate from the request:

 

openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out client.crt -days 360 
openssl x509 -in client.crt -out client.pem -outform PEM

 

All done now. You've generated a private key and a certificate for your thing.

 

Configure Node-RED and Test

 

The last activity is to use this for real.

First upload the certificates to your device that's running Node-RED:

Client key: client.key

Client certificate: client.pem

CA root certificate: CA.pem

 

You can use a copy of the Node-RED Self-Service flow from the previous post to perform the test.

Just replace the UniqueID references in the Injection and IotConnect nodes with the one of the device you just created.

Point the x.509 attributes to the 3 files you copied over to the device:

 

image

Refer to this post for the correct ACK handling.

 

Deploy.

The IotConnect node should show a green flag.

Inject a payload, then go look at the IotConnect.io portal:

 

image

 

It works.

 

 

The Python SDK with On Semiconductor RSL10 BLE article seriesIndustry
part 1: overview and goal
part 2: WiFi Provisioning
part 3: Adding a Module (RSL10)
part 4: Talk BLE to the On Semi RSL10 Sensor Kit
part 5: A Cloud User Experience Example
part 6: Register as a Gateway Device
part 7: Register a Gateway and Client Devices
The NODE-Red SDK article seriesIndustry
part 1: overview and goal
register a Thing and connect to IoTConnect.io cloud
part 2: create an account and log on to the portal
part 3: set up the thing and its interface in the cloud
part 4: set up Node-RED and first exchange
interact with IoTConnect.io cloud
part 5: online dashboard
part 6: rules and alerts
part 7: messages and commands from the cloud
safer connections with certificates
part 8a: safer connect with Self Signed Certificates
part 8b: safer connect with CA certificatesY
commercial and industrial scale: outsource certificate generation and programming to subcontractors and suppliers
part 9a: Outsource Certificate Signing in IIoT Supply ChainY
part 9b: IIoT supply chain and Certificates - Create Ca Root certificate, Load to IoTConnect Cloud and ValidateY
part 9c: IIoT supply chain and Certificates - Create an Intermediate CA Certificate for your SubcontractorY
part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your DeviceY
part 9e: IIoT supply chain and Certificates - Test!Y
commercial and industrial scale: Trusted Platform Module (TPM) Authentication
part 10: Trusted Platform Module (TPM) SecurityY
Infineon SLx9670 Trusted Platform Module (TPM) for IoT SecurityY
The Automate Device Provisioning and Cloud Configuration article seriesIndustry
Automatic Provisioning with REST APIY
  • Sign in to reply
  • Jan Cumps
    Jan Cumps over 4 years ago in reply to Jan Cumps

    I have all security choices working now:

    image

     

    Thing authenticated using:

    1: customer key and device ID (good for prototyping)

    2: server self signed (good for prototyping)

    3: certificates signed by your CA root key (good for production)

    4: Trusted Platform Module certified (good for production, a hardware module soldered in your thing with unique key and signing capabilities)

    5: certificates signed by an intermediate certificate by your subcontractor (good for production if you outsource build and firmware programming)

     

    I'll elaborate on #5 in a dedicated blog, because there isn't that much step-by-step info.

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 4 years ago

    Today I learned how to generate an intermediate CA.

    It is a certificate that can be used to create new certificates (e.g.: for IoT Things), but is not your root certificate.

     

    If you outsource the programming of your devices to a 3rd party, you can make an intermediate certificate for that particular subcontracter.

    You don't have to share your root private key or password with them.

     

    The subcontracter can then generate the key-and-certificate pair for each device they program.

    There is traceability: it can be checked what intermediate certificate was used to create it.

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
element14 Community

element14 is the first online community specifically for engineers. Connect with your peers and get expert answers to your questions.

  • Members
  • Learn
  • Technologies
  • Challenges & Projects
  • Products
  • Store
  • About Us
  • Feedback & Support
  • FAQs
  • Terms of Use
  • Privacy Policy
  • Legal and Copyright Notices
  • Sitemap
  • Cookies

An Avnet Company © 2025 Premier Farnell Limited. All Rights Reserved.

Premier Farnell Ltd, registered in England and Wales (no 00876412), registered office: Farnell House, Forge Lane, Leeds LS12 2NE.

ICP 备案号 10220084.

Follow element14

  • X
  • Facebook
  • linkedin
  • YouTube