Self signed certificate or CA certificate for IoT device
Question
I can't understand which is the real benefit of using a CA certificate when it comes to secure communications between servers and IoT devices.
I'm working at an IoT device that uses Ubuntu as OS and I was planning to use CA certificate. But what happen if my users are not updating their devices firmware? now that certificates expires after 1 year and considering that some users are not updating their IoT devices for a long time... the risk I'll run into is that those devices could not be updated after the cert expires since they can't communicate with my servers.
With a self signed cert I can set an expiration of 45 years and anyway I'll be to authority and I can revoke or decide when it is time to release a new cert or even cross signing certificate.
I'm obviously talking only about the communication between the device and servers... the rest api for users will use a default CA cert.
Another option that I'm considering is to use a CA cert for device and servers communication but also adding a self signed certificate that I can use as backup in case the the main certificate expires and the device needs to download new software (that will contain the new certificate) is this a viable solution?
Should I handle certificates in this way?! or maybe should I just use the OS root store and ensure that it is updated somehow? (in this case ... how?... the only way is to release an update of the device firmare I suppose)
1 answers
solution1
1 ACCPTED 2020-11-05 14:11:34
Certificates are used for authentication and encryption. See https://www.ssl.com/faqs/what-is-a-certificate-authority/
If you want to make sure that, data you are receiving is coming from authenticated devices then you will use certificates. You can use certificates to encrypt each and every request. But it will be heavy on resources. Or you use certificates to for authentication and return an JWT token for further request. (This is how service account works in cloud.)
Manual certificate management will become complicated in no time. Service account is a common way to authenticate apps/ devices. Keycloak is an open source option to support service accounts.
You should keep device updation separate from authentication. Device updation may or may not happen on authenticated device. And waiting for certificate expiration to update the device sounds strange.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.