Introduction Certificate Manager¶
You can upload certificates into Insights Hub to improve the security level. The encryption adds an additional layer of security to MQTT with X509 client certificates. The certificate is valid for the domain of your tenant. You can access the Certificate Manager via the navigation area in Settings.
With the Certificate Manager you can:
- Upload and manage PEM certificates on your tenant
- Download PEM or CERT certificate to install on assets
The operating system assumes no responsibility for the quality of the device certificates.
Uploading the TenantCA certificate through Certificate Manager checks the following requirements for TenantCA certificates:
For violations, the upload request will be rejected. Certificate Manager users are completely responsible of the quality of certificates. We take no responsibility in certificate management processes.
|Certificates signing algorithm||The device certificate signature algorithm should be SHA2.|
|Version||The certificate version must be at version 2 (indicating X.509 v3).|
|Key Usage||Key Usage extension with keycert Sign bit must be set.|
|Validity||Validity of the certificate should be valid up to one year. The current date and time should be between Not Before and Not After.|
|Subject||Subject Distinguished Name (DN) is required (e.g. Customer Name (CN)=Robin Miller, Organisation Unit (OU)=Unit1, Organisation (O)=Siemens, Locality (L)=Erlangen, Country (C)=Germany).|
|Subject Key Identifier||Subject Key Identifier extension is required.|
|Basic Constraints||Basic Constraints extension is required and Certificate Authority (CA) value must be TRUE to indicate that Subject Type is CA.|
Add new certificate¶
In order to add a new certificate to your tenant proceed as follows:
- Click "Add certificate" in the "Certificate" tab.
- Enter a descriptive name.
- Upload the CA PEM Certificate.
- Upload the Verification PEM Certificate.
- Click "Add".
Using "Broker info"¶
You can download a PEM or a CERT certificate in the "Broker info" tab. After downloading the broker certificate, you can install it on your asset via USB stick, for example.
This will establish the handshake between Insights Hub and your asset, allowing your device will to validate the X509 certificate.