Table of contents:Generate RootCA key
Bosch IoT Rollouts supports device authentication with client certificates. This guide demonstrates how to leverage this feature on Rollouts EU-1 and EU-2.
Applicable to Rollouts customers in following regions
A booked Bosch IoT Rollouts service instance on EU-1 or US-1.
You have OpenSSL and a curl with OpenSSL support installed on your client machine.
On MAC OS X this can be achieved with:
$ brew install curl-openssl
$ export PATH=/usr/local/opt/curl/bin:$PATH
Generate a RootCA
$ openssl genrsa -out rootCA.key
Note: The Common Name (CN) shouldn’t be empty.
$ openssl req -x509 -
-nodes -key rootCA.key -sha256 -days
Generate and sign the device client certificate
$ openssl genpkey -algorithm RSA -out client.key -aes256
When creating the certificate signing request (CSR), the Common Name (CN) has to be equal to the desired controllerID in Rollouts, e.g. in this example testDevice01.
Note: The CN is case sensitive.
$ openssl req -
-key client.key -out client.csr
Then, sign the device client certificate:
$ openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days
Check the signed certificate
$ openssl x509 -in client.cer -text -noout
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=Rollouts Test CA/emailAddress=service-rollouts
Not Before: Mar
Not After : Mar
Subject: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=testDevice01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (
Get fingerprint of root CA
This step depends on the Rollouts environment (EU-1/US-1 vs. EU-2).
Bosch IoT Rollouts on AWS (EU-1/US-1)
In Bosch IoT Rollouts on AWS, you need to extract the SHA-256 fingerprint:
openssl x509 -noout -fingerprint -sha256 -inform pem -in caroot.cer
Expected result is something similar to:
Enter fingerprint into your Rollouts tenant configuration
Enter the fingerprint of the previous step into the UI.
Combine certificate and chain into one file
For authentication, the device needs to send the entire certificate chain along with the request. Bosch IoT Rollouts will then validate the certificate chain and extract the fingerprints from all certificates. To finally establish trust with the client certificate provided by the device, the root or intermediate CA’s certificate fingerprint is checked against the fingerprint that is stored in the tenant configuration.
To assemble the certificate chain, you can concatenate the single .cer files:
$ cat client.cer caroot.cer > chain.cer
Run DDI query leveraging the certificate
You can now send requests to DDI by attaching the certificate chain file. Note that the certificate-enabled DDI base URL depends on the Rollouts region (EU-1/US-1 vs. EU-2).
For EU-1, the DDI base URL that supports certificate-based authentication is
For US-1, the DDI base URL that supports certificate-based authentication is
DDI query example for Bosch IoT Rollouts on EU-1
$ curl --include --insecure --cert ./chain.cer --key ./client.key --pass