Bosch IoT Rollouts

Set up client certificate-based authentication for devices

Table of contents:Generate RootCA key


Bosch IoT Rollouts supports device authentication with client certificates. This guide demonstrates how to leverage this feature on Bosch IoT Rollouts.

Applicable to Rollouts customers in following regions

  • EU-1 (AWS)

  • US-1 (AWS)


  • A booked Bosch IoT Rollouts service instance on EU-1 or US-1.

  • You have OpenSSL and a curl with OpenSSL support installed on your client machine.

On MAC OS X this can be achieved with:

$ brew install curl-openssl
$ export PATH=/usr/local/opt/curl/bin:$PATH

Generate a RootCA

$ openssl genrsa -out rootCA.key 2048

Note: The Common Name (CN) shouldn’t be empty.

$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Generate and sign the device client certificate

$ openssl genpkey -algorithm RSA -out client.key -aes256

When creating the certificate signing request (CSR), the Common Name (CN) has to be equal to the desired controllerID in Rollouts, e.g. in this example testDevice01.

Note: The CN is case sensitive.

$ openssl req -new -key client.key -out client.csr

Then, sign the device client certificate:

$ openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 356 -sha256

Check the signed certificate

$ openssl x509 -in client.cer -text -noout
Version: 1 (0x0)
Serial Number: 4661 (0x1235)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=Rollouts Test CA/
Not Before: Mar 28 07:30:55 2017 GMT
Not After : Mar 28 07:30:55 2018 GMT
Subject: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=testDevice01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)

Get fingerprint of root CA

In Bosch IoT Rollouts on AWS, you need to extract the SHA-256 fingerprint:

openssl x509 -noout -fingerprint -sha256 -inform pem -in caroot.cer

Expected result is something similar to:

SHA256 Fingerprint=D3:D0:ED:F2:A8:98:90:0F:53:16:D0:5D:08:F7:C0:0E:BB:6A:5E:C6:3D:C4:E5:86:88:D8:2A:E2:4A:72:86:40

Enter fingerprint into your Rollouts tenant configuration

Enter the fingerprint of the previous step into the UI.


Combine certificate and chain into one file

For authentication, the device needs to send the entire certificate chain along with the request. Bosch IoT Rollouts will then validate the certificate chain and extract the fingerprints from all certificates. To finally establish trust with the client certificate provided by the device, the root or intermediate CA’s certificate fingerprint is checked against the fingerprint that is stored in the tenant configuration.

To assemble the certificate chain, you can concatenate the single .cer files:

$ cat client.cer caroot.cer > chain.cer

Run DDI query leveraging the certificate

You can now send requests to DDI by attaching the certificate chain file. Note that the certificate-enabled DDI base URL depends on the Rollouts region (EU-1 or US-1).

For EU-1, the DDI base URL that supports certificate-based authentication is

For US-1, the DDI base URL that supports certificate-based authentication is

DDI query example for Bosch IoT Rollouts on EU-1

$ curl --include --insecure --cert ./chain.cer --key ./client.key --pass 'YourPrivateKeyPassword'

Expected result:

"config": {
"polling": {
"sleep": "00:00:20"
"_links": {
"configData": {
"href": ""