IoT 设备的自签名证书或 CA 证书
[英]Self signed certificate or CA certificate for IoT device
问题描述
I can't understand which is the real benefit of using a CA certificate when it comes to secure communications between servers and IoT devices.
我无法理解在服务器和物联网设备之间的安全通信方面使用 CA 证书的真正好处是什么。
I'm working at an IoT device that uses Ubuntu as OS and I was planning to use CA certificate.我在一个使用 Ubuntu 作为操作系统的 IoT 设备上工作,我打算使用 CA 证书。 But what happen if my users are not updating their devices firmware?但是如果我的用户没有更新他们的设备固件会发生什么? now that certificates expires after 1 year and considering that some users are not updating their IoT devices for a long time... the risk I'll run into is that those devices could not be updated after the cert expires since they can't communicate with my servers.现在证书在 1 年后到期,并考虑到一些用户很长时间没有更新他们的 IoT 设备......我将遇到的风险是这些设备在证书到期后无法更新,因为它们无法通信与我的服务器。
With a self signed cert I can set an expiration of 45 years and anyway I'll be to authority and I can revoke or decide when it is time to release a new cert or even cross signing certificate.使用自签名证书,我可以设置 45 年的到期时间,无论如何我将获得授权,我可以撤销或决定何时发布新证书甚至交叉签名证书。
I'm obviously talking only about the communication between the device and servers... the rest api for users will use a default CA cert.我显然只是在谈论设备和服务器之间的通信......用户的其余 api 将使用默认的 CA 证书。
Another option that I'm considering is to use a CA cert for device and servers communication but also adding a self signed certificate that I can use as backup in case the the main certificate expires and the device needs to download new software (that will contain the new certificate) is this a viable solution?我正在考虑的另一个选择是使用 CA 证书进行设备和服务器通信,但还添加一个自签名证书,我可以将其用作备份,以防主证书过期并且设备需要下载新软件(将包含新证书)这是一个可行的解决方案吗?
Should I handle certificates in this way?!我应该这样处理证书吗?! or maybe should I just use the OS root store and ensure that it is updated somehow?或者我应该只使用操作系统根存储并确保它以某种方式更新? (in this case ... how?... the only way is to release an update of the device firmare I suppose) (在这种情况下......如何?......我想唯一的方法是发布设备固件的更新)
1 个解决方案
解决方案1
1 已采纳 2020-11-05 14:11:34
Certificates are used for authentication and encryption.证书用于身份验证和加密。 See https://www.ssl.com/faqs/what-is-a-certificate-authority/请参阅https://www.ssl.com/faqs/what-is-a-certificate-authority/
If you want to make sure that, data you are receiving is coming from authenticated devices then you will use certificates.如果您想确保您接收的数据来自经过身份验证的设备,那么您将使用证书。 You can use certificates to encrypt each and every request.您可以使用证书来加密每个请求。 But it will be heavy on resources.但它会占用大量资源。 Or you use certificates to for authentication and return an JWT token for further request.或者您使用证书进行身份验证并返回 JWT 令牌以供进一步请求。 (This is how service account works in cloud.) (这就是服务帐户在云中的工作方式。)
Manual certificate management will become complicated in no time.手动证书管理很快就会变得复杂。 Service account is a common way to authenticate apps/ devices.服务帐户是验证应用程序/设备的常用方法。 Keycloak is an open source option to support service accounts. Keycloak 是一个支持服务帐户的开源选项。
You should keep device updation separate from authentication.您应该将设备更新与身份验证分开。 Device updation may or may not happen on authenticated device.设备更新可能会也可能不会发生在经过身份验证的设备上。 And waiting for certificate expiration to update the device sounds strange.等待证书到期来更新设备听起来很奇怪。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.