Support multiple tenants using the same trusted CA certificate

Until now, the CA certificate was tenant-unique and could be used only within the scope of a single subscription. This was a strict requirement when authenticating with client certificates. However, large-scale organizations may have multiple tenants within their setup, such as separate tenants for development, testing, and production purposes. As device authentication may be needed through the different stages, and respectively tenants, Bosch IoT Hub has simplified the workflow by allowing the possibility to authenticate multiple tenants with a single organization-wide CA certificate.

This CA certificate sharing is realized by creating a trusted group where you provide the tenant IDs of the tenants that will be allowed to share the CA certificate. When the CA certificate is unique per tenant, the identification of tenant ID during device authentication is fulfilled on the basis of the subject-dn of the CA certificate. Tenant grouping, on the other hand, enables a client organization to share a CA certificate between different tenants. In such cases, the identification of tenant ID during device authentication is fulfilled on the basis of the Server Name Indication (SNI) during the TLS handshake. For that purpose, the unique tenant identifier tenant-alias must be provided as a prefix to the SNI.

• Read more about certificate-based authentication and grouping tenants in Device authentication.

• Learn how to enable CA certificate sharing at Support multiple tenants using the same trusted CA certificate.