Set up client certificate-based authentication for devices
Table of contents:Generate RootCA key
Introduction
Bosch IoT Rollouts supports device authentication with client certificates. This guide demonstrates how to leverage this feature on Bosch IoT Rollouts.
Applicable to Rollouts customers in following regions
EU-1 (AWS)
US-1 (AWS)
Prerequisites
A booked Bosch IoT Rollouts service instance on EU-1 or US-1.
You have OpenSSL and a curl with OpenSSL support installed on your client machine.
On MAC OS X this can be achieved with:
$ brew install curl-openssl$ export PATH=/usr/local/opt/curl/bin:$PATHGenerate a RootCA
$ openssl genrsa -out rootCA.key 2048Note: The Common Name (CN) shouldn’t be empty.
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pemGenerate and sign the device client certificate
$ openssl genpkey -algorithm RSA -out client.key -aes256When creating the certificate signing request (CSR), the Common Name (CN) has to be equal to the desired controllerID in Rollouts, e.g. in this example testDevice01.
Note: The CN is case sensitive.
$ openssl req -new -key client.key -out client.csrThen, sign the device client certificate:
$ openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 356 -sha256Check the signed certificate
$ openssl x509 -in client.cer -text -nooutCertificate: Data: Version: 1 (0x0) Serial Number: 4661 (0x1235) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=Rollouts Test CA/emailAddress=service-rollouts@bosch-si.com Validity Not Before: Mar 28 07:30:55 2017 GMT Not After : Mar 28 07:30:55 2018 GMT Subject: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=testDevice01 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit)...Get fingerprint of root CA
In Bosch IoT Rollouts on AWS, you need to extract the SHA-256 fingerprint:
openssl x509 -noout -fingerprint -sha256 -inform pem -in caroot.cer Expected result is something similar to:
SHA256 Fingerprint=D3:D0:ED:F2:A8:98:90:0F:53:16:D0:5D:08:F7:C0:0E:BB:6A:5E:C6:3D:C4:E5:86:88:D8:2A:E2:4A:72:86:40Enter fingerprint into your Rollouts tenant configuration
Enter the fingerprint of the previous step into the UI.
Combine certificate and chain into one file
For authentication, the device needs to send the entire certificate chain along with the request. Bosch IoT Rollouts will then validate the certificate chain and extract the fingerprints from all certificates. To finally establish trust with the client certificate provided by the device, the root or intermediate CA’s certificate fingerprint is checked against the fingerprint that is stored in the tenant configuration.
To assemble the certificate chain, you can concatenate the single .cer files:
$ cat client.cer caroot.cer > chain.cerRun DDI query leveraging the certificate
You can now send requests to DDI by attaching the certificate chain file. Note that the certificate-enabled DDI base URL depends on the Rollouts region (EU-1 or US-1).
For EU-1, the DDI base URL that supports certificate-based authentication is
device-cert.eu1.bosch-iot-rollouts.comFor US-1, the DDI base URL that supports certificate-based authentication is
device-cert.us1.bosch-iot-rollouts.comDDI query example for Bosch IoT Rollouts on EU-1
$ curl --include --insecure --cert ./chain.cer --key ./client.key --pass 'YourPrivateKeyPassword' https://device-cert.eu1.bosch-iot-rollouts.com/YOUR-TENANT/controller/v1/testDevice01Expected result:
{ "config": { "polling": { "sleep": "00:00:20" } }, "_links": { "configData": { "href": "https://device-cert.eu1.bosch-iot-rollouts.com/YOUR-TENANT/controller/v1/testDevice01/configData" } }}