element14 Community
element14 Community
    Register Log In
  • Site
  • Search
  • Log In Register
  • About Us
  • Community Hub
    Community Hub
    • What's New on element14
    • Feedback and Support
    • Benefits of Membership
    • Personal Blogs
    • Members Area
    • Achievement Levels
  • Learn
    Learn
    • Ask an Expert
    • eBooks
    • element14 presents
    • Learning Center
    • Tech Spotlight
    • STEM Academy
    • Webinars, Training and Events
    • Learning Groups
  • Technologies
    Technologies
    • 3D Printing
    • FPGA
    • Industrial Automation
    • Internet of Things
    • Power & Energy
    • Sensors
    • Technology Groups
  • Challenges & Projects
    Challenges & Projects
    • Design Challenges
    • element14 presents Projects
    • Project14
    • Arduino Projects
    • Raspberry Pi Projects
    • Project Groups
  • Products
    Products
    • Arduino
    • Avnet Boards Community
    • Dev Tools
    • Manufacturers
    • Multicomp Pro
    • Product Groups
    • Raspberry Pi
    • RoadTests & Reviews
  • Store
    Store
    • Visit Your Store
    • Choose another store...
      • Europe
      •  Austria (German)
      •  Belgium (Dutch, French)
      •  Bulgaria (Bulgarian)
      •  Czech Republic (Czech)
      •  Denmark (Danish)
      •  Estonia (Estonian)
      •  Finland (Finnish)
      •  France (French)
      •  Germany (German)
      •  Hungary (Hungarian)
      •  Ireland
      •  Israel
      •  Italy (Italian)
      •  Latvia (Latvian)
      •  
      •  Lithuania (Lithuanian)
      •  Netherlands (Dutch)
      •  Norway (Norwegian)
      •  Poland (Polish)
      •  Portugal (Portuguese)
      •  Romania (Romanian)
      •  Russia (Russian)
      •  Slovakia (Slovak)
      •  Slovenia (Slovenian)
      •  Spain (Spanish)
      •  Sweden (Swedish)
      •  Switzerland(German, French)
      •  Turkey (Turkish)
      •  United Kingdom
      • Asia Pacific
      •  Australia
      •  China
      •  Hong Kong
      •  India
      •  Korea (Korean)
      •  Malaysia
      •  New Zealand
      •  Philippines
      •  Singapore
      •  Taiwan
      •  Thailand (Thai)
      • Americas
      •  Brazil (Portuguese)
      •  Canada
      •  Mexico (Spanish)
      •  United States
      Can't find the country/region you're looking for? Visit our export site or find a local distributor.
  • Translate
  • Profile
  • Settings
Industrial Automation
  • Technologies
  • More
Industrial Automation
Blog Connect to AVNET iotconnect.io with Node-RED - part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your Device
  • Blog
  • Forum
  • Documents
  • Quiz
  • Events
  • Polls
  • Files
  • Members
  • Mentions
  • Sub-Groups
  • Tags
  • More
  • Cancel
  • New
Join Industrial Automation to participate - click to join for free!
  • Share
  • More
  • Cancel
Group Actions
  • Group RSS
  • More
  • Cancel
Engagement
  • Author Author: Jan Cumps
  • Date Created: 13 Apr 2021 8:10 PM Date Created
  • Views 659 views
  • Likes 3 likes
  • Comments 1 comment
  • node_red
  • openssl
  • iotconnect.io
Related
Recommended

Connect to AVNET iotconnect.io with Node-RED - part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your Device

Jan Cumps
Jan Cumps
13 Apr 2021

For context, check the intro post.

 

Summary: How to use Signed Certificates in an IoT supply chain. Without giving away your private keys to your subcontractor.

At the end of this post, you completed 90% of the end-to-end process.

You, as subcontractor Louisiana Branch, will generate and sign certificates for Things, on behalf of the conglomerate United States Manufacturing.

 

image

No private keys will be shared. The subcontractor can generate the certificates, one for each Thing.

We as Root CA will only allow devices on our cloud that have a valid certificate chain and are provisioned.

The validation part (the focus of this saga) is portable across cloud solutions.

 

Subcontractor Generates Thing Certificate

 

This is what the whole story was written for: generate a unique, valid key pair for each device we want to sell.

A key pair that can be validated by our Root public certificate.

A key pair that can be generated by any subcontractor we have an agreement (trust contract) with.

Without sharing our private key and associated password to anyone.

Traceable end to end.

 

Create a Key Pair for the Thing

 

I've consistently used Certificate and Private Key in the series. But we're at the end, time to loosen up.

A certificate is the same as a public key. A certificate + private key is a key pair.

Key pairs are used to authenticate. Let's make one for the Thing that will be installed in New Orleans, LA.

 

In this post you will see that I have a code in front of the thing's unique name neworleans.

That is IoTConnect.io specific. The unique name is formed by the CPID (a code you get when enrolling, I obfuscated mine), and the unique name you define for your device. Separated by a '-'.

 

You are now pretending you are the subcontractor.

 

Create a key

 

This key does not have a password associated to it.

 

openssl genrsa \
      -out louisiana/private/b***2-neworleans.key.pem 2048
chmod 400 louisiana/private/b***2-neworleans.key.pem

 

 

Create a certificate

 

First the request.

The Common name has to be the unique name of the Thing on the Cloud:

CN: b***2-neworleans

 

openssl req -config louisiana/openssl.cnf \
      -key louisiana/private/b***2-neworleans.key.pem \
      -new -sha256 -out louisiana/csr/b***2-neworleans.csr.pem

 

Then the certificate, signed by the Intermediate CA private key (subcontractor's key).

 

openssl ca -config louisiana/openssl.cnf \
      -extensions usr_cert -days 375 -notext -md sha256 \
      -in louisiana/csr/b***2-neworleans.csr.pem \
      -out louisiana/certs/b***2-neworleans.cert.pem
chmod 444 louisiana/certs/b***2-neworleans.cert.pem

 

Verify the certificate

 

cat louisiana/index.txt

openssl x509 -noout -text \
      -in louisiana/certs/b***2-neworleans.cert.pem

openssl verify -CAfile louisiana/certs/ca-chain.cert.pem \
      louisiana/certs/b***2-neworleans.cert.pem

 

Create Full Certification Chain File

 

cat \
      louisiana/certs/b***2-neworleans.cert.pem \
      louisiana/certs/ca-chain.cert.pem \
      > louisiana/certs/b***2-neworleans-chain.cert.pem
chmod 444 louisiana/certs/b***2-neworleans-chain.cert.pem

 

The subcontractor has everything needed now for a successful connection:

  • device public certificate chain: b***2-neworleans.cert.pem
  • device private key: b***2-neworleans.key.pem
  • Root CA certificate ca.cert.pem

 

What Have You Achieved: 90%

 

Previous posts:

You generated and installed a root certificate on IoTConnect Cloud.

You built a major part of the infrastructure that you will later use to generate the intermediate certificates.

 

Subcontractor generated a private key and a certificate request. They gave you the request file.

You generated the intermediate CA certificate and signed it with your Root CA private key.

You gave the certificate, your own root certificate, and the chain up to that point, to the supplier.

 

This post:

Subcontractor generated and collects all artifacts needed to authenticate a unique device for you.

 

Next article: Test! With a Node-RED flow. On a Raspberry Pi style device.

 

 

The Python SDK with On Semiconductor RSL10 BLE article seriesIndustry
part 1: overview and goal
part 2: WiFi Provisioning
part 3: Adding a Module (RSL10)
part 4: Talk BLE to the On Semi RSL10 Sensor Kit
part 5: A Cloud User Experience Example
part 6: Register as a Gateway Device
part 7: Register a Gateway and Client Devices
The NODE-Red SDK article seriesIndustry
part 1: overview and goal
register a Thing and connect to IoTConnect.io cloud
part 2: create an account and log on to the portal
part 3: set up the thing and its interface in the cloud
part 4: set up Node-RED and first exchange
interact with IoTConnect.io cloud
part 5: online dashboard
part 6: rules and alerts
part 7: messages and commands from the cloud
safer connections with certificates
part 8a: safer connect with Self Signed Certificates
part 8b: safer connect with CA certificatesY
commercial and industrial scale: outsource certificate generation and programming to subcontractors and suppliers
part 9a: Outsource Certificate Signing in IIoT Supply ChainY
part 9b: IIoT supply chain and Certificates - Create Ca Root certificate, Load to IoTConnect Cloud and ValidateY
part 9c: IIoT supply chain and Certificates - Create an Intermediate CA Certificate for your SubcontractorY
part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your DeviceY
part 9e: IIoT supply chain and Certificates - Test!Y
commercial and industrial scale: Trusted Platform Module (TPM) Authentication
part 10: Trusted Platform Module (TPM) SecurityY
Infineon SLx9670 Trusted Platform Module (TPM) for IoT SecurityY
The Automate Device Provisioning and Cloud Configuration article seriesIndustry
Automatic Provisioning with REST APIY
  • Sign in to reply

Top Comments

  • Jan Cumps
    Jan Cumps over 4 years ago +1
    For @self: -> ->
  • Jan Cumps
    Jan Cumps over 4 years ago

    For @self:

    image

    ->

    image

    image

    ->

     

    image

    image

    • Cancel
    • Vote Up +1 Vote Down
    • Sign in to reply
    • More
    • Cancel
element14 Community

element14 is the first online community specifically for engineers. Connect with your peers and get expert answers to your questions.

  • Members
  • Learn
  • Technologies
  • Challenges & Projects
  • Products
  • Store
  • About Us
  • Feedback & Support
  • FAQs
  • Terms of Use
  • Privacy Policy
  • Legal and Copyright Notices
  • Sitemap
  • Cookies

An Avnet Company © 2025 Premier Farnell Limited. All Rights Reserved.

Premier Farnell Ltd, registered in England and Wales (no 00876412), registered office: Farnell House, Forge Lane, Leeds LS12 2NE.

ICP 备案号 10220084.

Follow element14

  • X
  • Facebook
  • linkedin
  • YouTube