element14 Community
element14 Community
    Register Log In
  • Site
  • Search
  • Log In Register
  • About Us
  • Community Hub
    Community Hub
    • What's New on element14
    • Feedback and Support
    • Benefits of Membership
    • Personal Blogs
    • Members Area
    • Achievement Levels
  • Learn
    Learn
    • Ask an Expert
    • eBooks
    • element14 presents
    • Learning Center
    • Tech Spotlight
    • STEM Academy
    • Webinars, Training and Events
    • Learning Groups
  • Technologies
    Technologies
    • 3D Printing
    • FPGA
    • Industrial Automation
    • Internet of Things
    • Power & Energy
    • Sensors
    • Technology Groups
  • Challenges & Projects
    Challenges & Projects
    • Design Challenges
    • element14 presents Projects
    • Project14
    • Arduino Projects
    • Raspberry Pi Projects
    • Project Groups
  • Products
    Products
    • Arduino
    • Avnet Boards Community
    • Dev Tools
    • Manufacturers
    • Multicomp Pro
    • Product Groups
    • Raspberry Pi
    • RoadTests & Reviews
  • Store
    Store
    • Visit Your Store
    • Choose another store...
      • Europe
      •  Austria (German)
      •  Belgium (Dutch, French)
      •  Bulgaria (Bulgarian)
      •  Czech Republic (Czech)
      •  Denmark (Danish)
      •  Estonia (Estonian)
      •  Finland (Finnish)
      •  France (French)
      •  Germany (German)
      •  Hungary (Hungarian)
      •  Ireland
      •  Israel
      •  Italy (Italian)
      •  Latvia (Latvian)
      •  
      •  Lithuania (Lithuanian)
      •  Netherlands (Dutch)
      •  Norway (Norwegian)
      •  Poland (Polish)
      •  Portugal (Portuguese)
      •  Romania (Romanian)
      •  Russia (Russian)
      •  Slovakia (Slovak)
      •  Slovenia (Slovenian)
      •  Spain (Spanish)
      •  Sweden (Swedish)
      •  Switzerland(German, French)
      •  Turkey (Turkish)
      •  United Kingdom
      • Asia Pacific
      •  Australia
      •  China
      •  Hong Kong
      •  India
      •  Korea (Korean)
      •  Malaysia
      •  New Zealand
      •  Philippines
      •  Singapore
      •  Taiwan
      •  Thailand (Thai)
      • Americas
      •  Brazil (Portuguese)
      •  Canada
      •  Mexico (Spanish)
      •  United States
      Can't find the country/region you're looking for? Visit our export site or find a local distributor.
  • Translate
  • Profile
  • Settings
Industrial Automation
  • Technologies
  • More
Industrial Automation
Blog Connect to AVNET iotconnect.io with Node-RED - part 9e: IIoT supply chain and Certificates - Test!
  • Blog
  • Forum
  • Documents
  • Quiz
  • Events
  • Polls
  • Files
  • Members
  • Mentions
  • Sub-Groups
  • Tags
  • More
  • Cancel
  • New
Join Industrial Automation to participate - click to join for free!
  • Share
  • More
  • Cancel
Group Actions
  • Group RSS
  • More
  • Cancel
Engagement
  • Author Author: Jan Cumps
  • Date Created: 14 Apr 2021 6:50 PM Date Created
  • Views 669 views
  • Likes 3 likes
  • Comments 1 comment
Related
Recommended

Connect to AVNET iotconnect.io with Node-RED - part 9e: IIoT supply chain and Certificates - Test!

Jan Cumps
Jan Cumps
14 Apr 2021

For context, check the intro post.

 

Summary: How to use Signed Certificates in an IoT supply chain. Without giving away your private keys to your subcontractor.

At the end of this post, you completed 90% of the end-to-end process.

You, as subcontractor Louisiana Branch, will generate and sign certificates for Things, on behalf of the conglomerate United States Manufacturing.

 

image

 

 

 

Program the Thing

 

Your subcontractor will load the firmware on your device, install the certificates, provision the device on the cloud and test.

You have developed the firmware and handed it over to the vendor.

When they program it and load the certificates, they may also have to do some configurations.

Most vendors will script all of this, from certificate generation over firmware configuration to the load, provisioning and test, and do this as a step on the assembly line.

In this blog, I'll do it manually.

 

Upload the certificate artifacts. This is highly dependent on the device you have.

Some provide a dedicated memory area that can only be read by firmware.

Some have a key vault.

On Linux, place it in a folder that's only readable by the user that runs the firmware (here: the Node-RED service user).

In this scenario, we need the tree artifacts generated in the previous post.

 

Configure and load the firmware. In our case a json file with a Node-RED flow.

The automated script would automatically configure customer ID (cpId), unique ID, and if we use unique names for certificates, also those.

Then import in Node-RED.

 

[
   {
      "id":"38356517.efc10a",
      "type":"tab",
      "label":"IoTConnect New Orleans",
      "disabled":false,
      "info":""
   },
   {
      "id":"5139ef2a.05a86",
      "type":"IoTConnect",
      "z":"38356517.efc10a",
      "cpId":"1*****",
      "uniqueId":"neworleans",
      "env":"PROD",
      "auth":"2",
      "offlineStorageEnable":false,
      "sizeLimit":0,
      "fileCount":0,
      "sslKey":"/home/avnet/.iotconnect/.neworleans/1******-neworleans.key.pem",
      "sslCert":"/home/avnet/.iotconnect/.neworleans/1******-neworleans-chain.cert.pem",
      "sslCA":"/home/avnet/.iotconnect/.neworleans/ca.cert.pem",
      "idScope":"",
      "x":675,
      "y":200,
      "wires":[
         [
            "61178473.a0f70c",
            "e6dd8afb.945498"
         ],
         [
            "c56a4d18.5d2ea"
         ],
         [
            
         ]
      ],
      "l":false
   },
   {
      "id":"2196de99.bb4322",
      "type":"IoTConnect-Injector",
      "z":"38356517.efc10a",
      "iType":"SendData",
      "descText":"",
      "payload":"[\n    {\n        \"uniqueId\": \"\",\n        \"time\": \"2021-05-19T19:37:05.800Z\",\n        \"data\": {\n            \"temperature\": \"17\"\n        }\n    }\n]",
      "x":515,
      "y":200,
      "wires":[
         [
            "5139ef2a.05a86"
         ]
      ],
      "l":false
   },
   {
      "id":"b7e2b58e.e39608",
      "type":"inject",
      "z":"38356517.efc10a",
      "name":"",
      "props":[
         {
            "p":"payload"
         }
      ],
      "repeat":"",
      "crontab":"",
      "once":false,
      "onceDelay":0.1,
      "topic":"",
      "payload":"[{\"uniqueId\":\"neworleans\",\"data\":{\"temperature\":\"-1\"}}]",
      "payloadType":"json",
      "x":215,
      "y":200,
      "wires":[
         [
            "2196de99.bb4322"
         ]
      ],
      "l":false
   },
   {
      "id":"48b4e7be.38da88",
      "type":"random",
      "z":"38356517.efc10a",
      "name":"random temperature",
      "low":"-10",
      "high":"65",
      "inte":"true",
      "property":"payload[0].data.Temperature",
      "x":275,
      "y":240,
      "wires":[
         [
            "2196de99.bb4322"
         ]
      ],
      "l":false
   },
   {
      "id":"ebd0a829.213a98",
      "type":"inject",
      "z":"38356517.efc10a",
      "name":"",
      "props":[
         {
            "p":"payload"
         }
      ],
      "repeat":"3600",
      "crontab":"",
      "once":true,
      "onceDelay":0.1,
      "topic":"",
      "payload":"[{\"uniqueId\":\"neworleans\",\"data\":{\"temperature\":\"0\",\"latitude\":52.765929,\"longitude\":6.27153}}]",
      "payloadType":"json",
      "x":215,
      "y":240,
      "wires":[
         [
            "48b4e7be.38da88"
         ]
      ],
      "l":false
   },
   {
      "id":"aeba4e1c.0de5b",
      "type":"comment",
      "z":"38356517.efc10a",
      "name":"iotconnect.io \\n send",
      "info":"",
      "x":550,
      "y":140,
      "wires":[
         
      ]
   },
   {
      "id":"af31f3d5.073d",
      "type":"comment",
      "z":"38356517.efc10a",
      "name":"iotconnect.io \\n communicate",
      "info":"",
      "x":730,
      "y":140,
      "wires":[
         
      ]
   },
   {
      "id":"30c8ac63.5559d4",
      "type":"comment",
      "z":"38356517.efc10a",
      "name":"temperature",
      "info":"",
      "x":250,
      "y":160,
      "wires":[
         
      ]
   },
   {
      "id":"61178473.a0f70c",
      "type":"debug",
      "z":"38356517.efc10a",
      "name":"",
      "active":true,
      "tosidebar":true,
      "console":false,
      "tostatus":false,
      "complete":"true",
      "targetType":"full",
      "statusVal":"",
      "statusType":"auto",
      "x":955,
      "y":200,
      "wires":[
         
      ],
      "icon":"font-awesome/fa-bug",
      "l":false
   },
   {
      "id":"286ca1a4.4a214e",
      "type":"comment",
      "z":"38356517.efc10a",
      "name":"iotconnect.io \\n receive",
      "info":"",
      "x":970,
      "y":140,
      "wires":[
         
      ]
   },
   {
      "id":"c56a4d18.5d2ea",
      "type":"debug",
      "z":"38356517.efc10a",
      "name":"",
      "active":true,
      "tosidebar":true,
      "console":false,
      "tostatus":false,
      "complete":"true",
      "targetType":"full",
      "statusVal":"",
      "statusType":"auto",
      "x":775,
      "y":220,
      "wires":[
         
      ],
      "icon":"font-awesome/fa-bug",
      "l":false
   },
   {
      "id":"786abb8b.c1d6d4",
      "type":"IoTConnect-Injector",
      "z":"38356517.efc10a",
      "iType":"Disconnect",
      "descText":"",
      "payload":"",
      "x":250,
      "y":300,
      "wires":[
         [
            "5139ef2a.05a86"
         ]
      ]
   },
   {
      "id":"7c8682e9.dc959c",
      "type":"IoTConnect-Injector",
      "z":"38356517.efc10a",
      "iType":"SendCommandAck",
      "descText":"",
      "payload":"",
      "x":775,
      "y":300,
      "wires":[
         [
            "5139ef2a.05a86"
         ]
      ],
      "l":false
   },
   {
      "id":"e6dd8afb.945498",
      "type":"switch",
      "z":"38356517.efc10a",
      "name":"ACK?",
      "property":"payload.ack",
      "propertyType":"msg",
      "rules":[
         {
            "t":"true"
         },
         {
            "t":"false"
         }
      ],
      "checkall":"false",
      "repair":false,
      "outputs":2,
      "x":590,
      "y":340,
      "wires":[
         [
            "69158414.46415c"
         ],
         [
            "9a7ee3c.75f052"
         ]
      ]
   },
   {
      "id":"f2c5a2d1.4b0a",
      "type":"debug",
      "z":"38356517.efc10a",
      "name":"",
      "active":false,
      "tosidebar":true,
      "console":false,
      "tostatus":false,
      "complete":"\"ACK sent\"",
      "targetType":"jsonata",
      "statusVal":"",
      "statusType":"auto",
      "x":755,
      "y":340,
      "wires":[
         
      ],
      "icon":"font-awesome/fa-bug",
      "l":false
   },
   {
      "id":"9a7ee3c.75f052",
      "type":"debug",
      "z":"38356517.efc10a",
      "name":"",
      "active":false,
      "tosidebar":true,
      "console":false,
      "tostatus":false,
      "complete":"\"ACK not required\"",
      "targetType":"jsonata",
      "statusVal":"",
      "statusType":"auto",
      "x":755,
      "y":380,
      "wires":[
         
      ],
      "icon":"font-awesome/fa-bug",
      "l":false
   },
   {
      "id":"6965f124.a61b",
      "type":"comment",
      "z":"38356517.efc10a",
      "name":"receipt mgt",
      "info":"",
      "x":570,
      "y":381,
      "wires":[
         
      ]
   },
   {
      "id":"69158414.46415c",
      "type":"function",
      "z":"38356517.efc10a",
      "name":"",
      "func":"msg.payload['st']=6\nmsg.payload['msg']=\"ACK Success\"\nreturn msg;",
      "outputs":1,
      "noerr":0,
      "initialize":"",
      "finalize":"",
      "x":685,
      "y":321,
      "wires":[
         [
            "7c8682e9.dc959c",
            "f2c5a2d1.4b0a"
         ]
      ],
      "l":false
   }
]

image

Refer to this post for the correct ACK handling.

 

 

In parallel, another service at the subcontractor can use the IoTCloud REST API to provision the device on the cloud.

image

I may write a post on how to do that.

For the moment, I'm doing this manually in the portal:

image

It's also fast, but automation is better.

 

Test!

The subcontractor engages in testing. Manually or automatic.

image

 

Both Node-RED log and cloud portal report success.

image

 

 

In our case, this can also be scripted: start Node-RED and parse the output.

Or the IoTConnect REST API can be used to retrieve the status. This could again be done at the production line.

Successfully programmed devices can be packaged, failing ones binned in a rework container.

 

You can replicate this. With your Windows laptop, a Raspberry Pi, BB, ...

Try it.

 

 

The Python SDK with On Semiconductor RSL10 BLE article seriesIndustry
part 1: overview and goal
part 2: WiFi Provisioning
part 3: Adding a Module (RSL10)
part 4: Talk BLE to the On Semi RSL10 Sensor Kit
part 5: A Cloud User Experience Example
part 6: Register as a Gateway Device
part 7: Register a Gateway and Client Devices
The NODE-Red SDK article seriesIndustry
part 1: overview and goal
register a Thing and connect to IoTConnect.io cloud
part 2: create an account and log on to the portal
part 3: set up the thing and its interface in the cloud
part 4: set up Node-RED and first exchange
interact with IoTConnect.io cloud
part 5: online dashboard
part 6: rules and alerts
part 7: messages and commands from the cloud
safer connections with certificates
part 8a: safer connect with Self Signed Certificates
part 8b: safer connect with CA certificatesY
commercial and industrial scale: outsource certificate generation and programming to subcontractors and suppliers
part 9a: Outsource Certificate Signing in IIoT Supply ChainY
part 9b: IIoT supply chain and Certificates - Create Ca Root certificate, Load to IoTConnect Cloud and ValidateY
part 9c: IIoT supply chain and Certificates - Create an Intermediate CA Certificate for your SubcontractorY
part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your DeviceY
part 9e: IIoT supply chain and Certificates - Test!Y
commercial and industrial scale: Trusted Platform Module (TPM) Authentication
part 10: Trusted Platform Module (TPM) SecurityY
Infineon SLx9670 Trusted Platform Module (TPM) for IoT SecurityY
The Automate Device Provisioning and Cloud Configuration article seriesIndustry
Automatic Provisioning with REST APIY
  • Sign in to reply
  • Jan Cumps
    Jan Cumps over 4 years ago

    I have done additional tests last weekend.

    When I originally wrote this, I tried to see if the mechanism really checked if the signature matches a named device, and if at connection time it is validated if a device is signed by the expected certificate chain.

     

    I have now tried to see if I could spill over to another online entity (equals a company), if they happen to use the same Root CA provider.

    That is also working as expected. Even if 2 companies share and register the same Root certificate, the connection is rejected when a thing tries to connect to the other company.

     

    image

     

    image

     

    Good.

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
element14 Community

element14 is the first online community specifically for engineers. Connect with your peers and get expert answers to your questions.

  • Members
  • Learn
  • Technologies
  • Challenges & Projects
  • Products
  • Store
  • About Us
  • Feedback & Support
  • FAQs
  • Terms of Use
  • Privacy Policy
  • Legal and Copyright Notices
  • Sitemap
  • Cookies

An Avnet Company © 2025 Premier Farnell Limited. All Rights Reserved.

Premier Farnell Ltd, registered in England and Wales (no 00876412), registered office: Farnell House, Forge Lane, Leeds LS12 2NE.

ICP 备案号 10220084.

Follow element14

  • X
  • Facebook
  • linkedin
  • YouTube