Overview
This document describes how to use the certificate management feature to quickly authenticate devices with private CA certificates.
Directions
To use a private certificate, you must first apply for a CA certificate from a certificate authority (CA) and then upload it to the IoT Hub platform.
Uploading certificate
1. Log in to the IoT Hub console, click Certificate Management on the left sidebar, and you can view all CA certificates uploaded to the platform. 2. Click Add Certificate to add a new CA certificate. Then, enter and upload the relevant information of the certificate.
CA Certificate Name: It can contain up to 32 characters including letters, numbers, underscores, hyphens, and @.
Upload CA Certificate: Upload a CA certificate issued by a certificate authority. Only CER, CRT, and PEM files are allowed.
Authentication Code: Used to generate an authentication certificate.
Upload Certificate: Use the CA certificate's private key and authentication code to generate a certificate to verify the correctness of the uploaded CA certificate. Only CER, CRT, and PEM files are allowed.
3. After successful upload, click Save, and the added CA certificate will be displayed in the list.
Note:
You can upload up to ten CA certificate files under one account.
Authenticating with custom CA certificate
1. Log in to the IoT Hub console, click Products > Create Product on the left sidebar, and enter the following information. Region: It is Guangzhou by default.
Product Type: Select General.
Product Name: Enter a custom name, which can contain up to 40 characters including letters, numbers, underscores, hyphens, and @ symbols.
Authentication Method: Select Certificate.
Data Format:
JSON: You can match the rules and extract the content based on the data.
Custom: No data parsing is performed.
2. Click Save. The successfully created product will be displayed on the Products page.
3. On the Products page, click the Product Name to enter the product details page.
4. Click Devices > Add Device to upload the device certificate.
5. Click Save.
6. Click Back to Devices > Product Settings to view the basic product information, download the device CA certificate, and use the device certificate and private key for device link authentication.
Generating testing CA certificate
Note:
The CA certificate generated by this method is only used for testing, and you should apply for an official CA certificate from a certificate authority.
The following uses OpenSSL as an example to describe how to generate a testing CA certificate:
1. Prepare the CA certificate configuration file to get ca.conf with the following content:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Tencent
localityName = Locality Name (eg, city)
localityName_default = Shenzhen
organizationName = Organization Name (eg, company)
organizationName_default = Tencent IoT
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = Tencent CA Test
2. Generate the CA certificate key to get ca.key with the following command:
openssl genrsa -out ca.key 4096
3. Generate a CA certificate issuance request to get ca.csr with the following command:
openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
4. Generate a CA root certificate to get ca.crt with the following command:
openssl x509 -req -days 3650 -sha256 -extfile openssl.cnf -extensions v3_ca -in ca.csr -signkey ca.key -out ca.crt
Generating authentication certificate
The following uses OpenSSL as an example to describes how to generate an authentication certificate:
1. Generate the key pair of an authentication certificate with the following command:
openssl genrsa -out verificationCert.key 2048
2. Use the authentication code in the Add Certificate dialog box to create a CSR file with the following command:
openssl req -new -key verificationCert.key -out verificationCert.csr
Copy the Authentication Code from the Add Certificate dialog box and paste it as the value of the Common Name field.
Common Name (e.g. server FQDN or YOUR name) []: 9f5cfb6ec0fcbdffd94473491bbb052e339e5b7beff4d7ed46420b697****
3. Use the CA certificate, private key, and the CSR file generated in step 2 to create an authentication certificate with the following command:
openssl x509 -req -in verificationCert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out verificationCert.crt -days 300 -sha512
Here, ca.crt and ca.key are the CA certificate and its private key file you obtained from your CA.
Issuing device certificate and private key
The following uses OpenSSL as an example to describe how to use a CA certificate to issue a device certificate and private key.
1. Generate a device private key with the following command:
openssl genrsa -out dev_01.key 2048
2. Create a CSR file with the following command:
openssl req -new -key dev_01.key -out dev_01.csr
The value of the Common Name field is the product ID + device name as follows:
Common Name (e.g. server FQDN or YOUR name) []: U58***2YLJdev_01
3. Use the CA certificate, private key, and the CSR file generated in step 2 to create a device certificate with the following command:
openssl x509 -req -in dev_01.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dev_01.crt -days 3650 -sha512 -extfile openssl.cnf -extensions v3_req
Here, ca.crt and ca.key are the CA certificate and its private key file you obtained from your certificate authority.