Certificate Manager¶
You can upload certificates into Insights Hub to improve the security level. The encryption adds an additional layer of security to MQTT with X509 client certificates. The certificate is valid for the domain of your tenant. You can access the Certificate Manager via the navigation area in Settings.
With the Certificate Manager, you can:
- Upload and manage PEM certificates on your tenant
- Download a PEM or CERT certificate to install on assets
Certificate requirements¶
The operating system assumes no responsibility for the quality of the device certificates.
Uploading the TenantCA certificate through Certificate Manager checks the following requirements for TenantCA certificates:
Note
For any violations, the upload request will be rejected. Users of the Certificate Manager are completely responsible for the quality of their certificates. We do not take any responsibility for the certificate management processes.
Certificate requirement | Description |
---|---|
Certificates signing algorithm | The device certificate signature algorithm should be SHA2. |
Version | The certificate version must be at version 2 (indicating X.509 v3). |
Key Usage | Key Usage extension with keycert Sign bit must be set. |
Validity | The validity of the certificate should be valid for up to one year. The current date and time should be between Not Before and Not After. |
Subject | The subject Distinguished Name (DN) is required (e.g, Customer Name (CN)=Robin Miller, Organization Unit (OU)=Unit1, Organization (O)=Siemens, Locality (L)=Erlangen, Country (C)=Germany). |
Subject Key Identifier | A "Subject Key Identifier" extension is required. |
Basic Constraints | A "Basic Constraints" extension is required and the Certificate Authority (CA) value must be TRUE to indicate that the Subject Type is CA. |
Add new certificate¶
To add a new certificate to your tenant, proceed as follows:
- Click "Configurations" in the left navigation, select "Certificate Manager" and then click "Add certificate" in the top right corner.
- Enter a descriptive name.
- Upload the CA PEM Certificate.
- Upload the Verification PEM Certificate.
- Click "Add".
The certificate is successfully added.
Using "Broker info"¶
You can download a PEM or a CERT certificate using the "Broker info" tab. After downloading the broker certificate, you can install it on your asset via a USB stick, for example.
This will establish the handshake between Insights Hub and your asset, allowing your device to validate the X509 certificate.