Bosch IoT Device Management

Support multiple tenants using the same trusted CA certificate

By default, the CA certificate is tenant-unique and can be used only within the scope of a single subscription. However, large-scale organizations may have multiple tenants within their setup, such as separate tenants for development, testing, and production purposes. As device authentication may be needed through the different stages, and respectively tenants, it may simplify the workflow if they can be authenticated with a single organization-wide CA certificate. This CA certificate sharing is realized by creating a trusted group where you provide the tenant IDs of the tenants that will be allowed to share the CA certificate.

When the CA certificate is unique per tenant, the identification of tenant ID during device authentication is fulfilled on the basis of the subject-dn. Tenant grouping, on the other hand, enables a client organization to share a CA certificate between different tenants and thus enables device authentication among all registered devices. In such cases, the identification of tenant ID during device authentication is fulfilled on the basis of the Server Name Indication (SNI) during the TLS handshake. For that purpose, the unique tenant identifier tenant-alias must be provided as a prefix to the SNI.

Labels in hostname

Labels in host names may only consist of letters, digits and hyphens. In order to be able to refer to tenants which have an identifier that contains other characters as well, we support registering an alias for a tenant. This alias can be used as an alternate identifier when looking up tenant configuration information.

Based on that, a tenant with unsupported identifier e.g. tenant_id that has been registered using an alias tenant-id, can be referred to/by a device by including the host name tenant-id.mqtt.bosch-iot-hub.com in the SNI extension.

Enable tenants grouping

To enable this feature and share the same CA certificate among multiple tenants within your organization, follow the steps below:

  1. Create a trusted anchor group.
    Currently, you cannot create such groups on your own. Therefore, please c ontact us through our official
    support channel or via support@bosch.io. Provide the tenant IDs that you want to be grouped and we will create the new group on your behalf.

  2. Configure the SNI on the devices side.
    The device uses the
    Server Name Indication extension during the TLS handshake. The SNI must include a host name following the format tenant-alias.mqtt.bosch-iot-hub.com.
    See the TLS Extensions documentation for more information. Please take into account the information in the note above covering label format in hostnames.

  3. Upload the relevant CA certificate by following the common workflow for all grouped tenants.

  4. Proceed with creating your X.509 certificate credentials and registering your devices.

From then on, Bosch IoT Hub will use the SNI to identify the tenant ID and group your tenants.

You can view your group as a trust-anchor-group parameter in the Bosch IoT Hub Management API by calling the GET​/tenants​/{tenant-id} method.