Set up client certificate-based authentication for devices
Table of contents:
Introduction
Bosch IoT Rollouts supports device authentication with client certificates. This guide demonstrates how to leverage this feature on Bosch IoT Rollouts.
Applicable to Rollouts customers in following regions
EU-1 (AWS)
US-1 (AWS)
Prerequisites
A booked Bosch IoT Rollouts service instance on EU-1 or US-1.
You have OpenSSL and a curl with OpenSSL support installed on your client machine.
On MAC OS X this can be achieved with:
$ brew install curl-openssl
$ export PATH=/usr/local/opt/curl/bin:$PATH
Generate a RootCA
$ openssl genrsa -out rootCA.key
2048
Note: The Common Name (CN) shouldn’t be empty.
$ openssl req -x509 -
new
-nodes -key rootCA.key -sha256 -days
1024
-out rootCA.pem
Generate and sign the device client certificate
$ openssl genpkey -algorithm RSA -out client.key -aes256
When creating the certificate signing request (CSR), the Common Name (CN) has to be equal to the desired controllerID in Rollouts, e.g. in this example testDevice01.
Note: The CN is case sensitive.
$ openssl req -
new
-key client.key -out client.csr
Then, sign the device client certificate:
$ openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days
356
-sha256
Check the signed certificate
$ openssl x509 -in client.cer -text -noout
Certificate:
Data:
Version:
1
(
0x0
)
Serial Number:
4661
(
0x1235
)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=Rollouts Test CA/emailAddress=service-rollouts
@bosch
-si.com
Validity
Not Before: Mar
28
07
:
30
:
55
2017
GMT
Not After : Mar
28
07
:
30
:
55
2018
GMT
Subject: C=DE, ST=BW, L=WA, O=Bosch.IO GmbH, OU=Rollouts, CN=testDevice01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (
4096
bit)
.
.
.
Get fingerprint of root CA
In Bosch IoT Rollouts on AWS, you need to extract the SHA-256 fingerprint:
openssl x509 -noout -fingerprint -sha256 -inform pem -in caroot.cer
Expected result is something similar to:
SHA256 Fingerprint=D3:D0:ED:F2:A8:
98
:
90
:0F:
53
:
16
:D0:5D:
08
:F7:C0:0E:BB:6A:5E:C6:3D:C4:E5:
86
:
88
:D8:2A:E2:4A:
72
:
86
:
40
Enter fingerprint into your Rollouts tenant configuration
Enter the fingerprint of the previous step into the UI.
Combine certificate and chain into one file
For authentication, the device needs to send the entire certificate chain along with the request. Bosch IoT Rollouts will then validate the certificate chain and extract the fingerprints from all certificates. To finally establish trust with the client certificate provided by the device, the root or intermediate CA’s certificate fingerprint is checked against the fingerprint that is stored in the tenant configuration.
To assemble the certificate chain, you can concatenate the single .cer files:
$ cat client.cer caroot.cer > chain.cer
Run DDI query leveraging the certificate
You can now send requests to DDI by attaching the certificate chain file. Note that the certificate-enabled DDI base URL depends on the Rollouts region (EU-1 or US-1).
For EU-1, the DDI base URL that supports certificate-based authentication is
device-cert.eu1.bosch-iot-rollouts.com
For US-1, the DDI base URL that supports certificate-based authentication is
device-cert.us1.bosch-iot-rollouts.com
DDI query example for Bosch IoT Rollouts on EU-1
$ curl --include --insecure --cert ./chain.cer --key ./client.key --pass
'YourPrivateKeyPassword'
https:
//device-cert.eu1.bosch-iot-rollouts.com/YOUR-TENANT/controller/v1/testDevice01
Expected result:
{
"config"
: {
"polling"
: {
"sleep"
:
"00:00:20"
}
},
"_links"
: {
"configData"
: {
"href"
:
"https://device-cert.eu1.bosch-iot-rollouts.com/YOUR-TENANT/controller/v1/testDevice01/configData"
}
}
}