Managing trusted certificates in Device Management
When your devices connect to Device Management, Device Management needs to trust the certificate authority (CA) certificate that issued the device certificate, or one of the CAs in the device certificate chain of trust.
You can manage the trusted certificates in your Device Management account using an API or from Device Management Portal:
- Upload a CA certificate or certificate chain.
- Delete a CA certificate.
- Blacklist a bootstrap CA certificate.
- Renew a LwM2M or custom certificate.
Uploading a CA certificate or certificate chain
When you upload a CA certificate to Device Management, all devices with a device certificate that was signed by the CA can connect to Device Management.
If you use the CA certificate that you upload to Device Management to sign other certificates, all devices with a device certificate that was signed by those certificates can also connect to Device Management.
Using the API
Use the /v3/trusted-certificates POST API to upload certificates and certificate chains in Device Management.
The /v3/trusted-certificates
API has the following parameters:
name
: Mandatory.description
: Optional.cert_data
: A certificate chain consisting of concatenated PEM files. Mandatory.service
: Bootstrap or LwM2M. To bypass the bootstrapping, set the value tolwm2m
. Mandatory.
Note: You must upload the full chain of your trusted CA certificate, including the root and all intermediate certificates, up to your trusted CA. Device Management also supports self-signed certificates, which are handled as a chain of size 1
. The certificates must be in PEM format and concatenated. Your device certificate must not be part of your uploaded certificate chain.
Using Device Management Portal
To upload a certificate or certificate chain to your account through Device Management Portal:
- Log in to Device Management Portal as an administrator.
- From the side menu, select Device identity > Certificates.
- Click New certificate and select Upload your own certificate.
- Populate the Name and Description fields.
- Click Choose File and select your CA file.
- From the How will devices use this certificate? dropdown, select:
- Credentials or Factory configurator utility - I can prove ownership of these credentials - Select this to upload a LwM2M or Bootstrap certificate if you provision device certificates in your factory. For more information about using LwM2M or Bootstrap credentials, see Device onboarding and connection options.
- Enrollment - I received this certificate from the device manufacturer or a supplier - Select this if you purchased pre-provisioned devices and the device manufacturer or a supplier provided you with a CA certificate. This method of claiming device ownership is called first-to-claim.
- Third party CA - I cannot prove ownership of these credentials - Select this to upload the third-party CA certificate that issues your LwM2M device certificates. For more information, see Integrating with a third-party CA.
- Click Upload certificate.
Deleting a CA certificate
When you delete a bootstrap certificate from Device Management, devices that have the deleted certificate in their chain of trust can no longer bootstrap using the deleted certificate; however, they might still be able to bootstrap using a different certificate in their chain of trust. They can also continue to connect to Device Management as long as their LwM2M credentials are still valid.
For more information about the use of bootstrap and LwM2M in Device Management, see device onboarding and connection options.
You can also blacklist or disable a certificate. Devices that have the disabled certificate in their chain of trust can no longer bootstrap and they cannot connect to Device Management using their LWM2M credentials.
Using the API
Use the /v3/trusted-certificates/{cert_id} DELETE API to delete certificates and certificate chains in Device Management.
Use GET /v3/trusted-certificates to retrieve the cert_id
.
Using Device Management Portal
To delete a certificate from your account through Device Management Portal:
- Log in to Device Management Portal as an administrator.
- From the side menu, select Device identity > Certificates.
- From the list of certificates, select the certificate that you want to blacklist. This opens a pane on the right-hand side with the details of the selected certificate.
- Click the Delete button (). This opens the Delete bootstrap certificate window.
- Click Delete certificate.
Blacklisting a bootstrap certificate
Blacklisting a bootstrap certificate blocks all new devices that hold the certificate in their chain of trust from connecting to Device Management. Devices that have already onboarded to Pelion Device Management can continue operation normally.
You can also choose to suspend devices that are already onboarded. If you choose this option, blacklisting a certificate from the Device Management portal automatically suspends devices that have already registered using that certificate. However, automatic suspension of devices as part of certificate blacklisting is only a proof of concept and needs to be enabled separately for your account. Contact Arm support for more information.
Note: When you delete a bootstrap certificate from Device Management, devices that have the deleted certificate in their chain of trust can no longer bootstrap using the deleted certificate; however, they may still be able to bootstrap using a different certificate in their chain of trust. They can also continue to connect to Device Management as long as their LwM2M credentials are valid. When you blacklist a certificate, devices with a disabled certificate in their chain of trust can no longer bootstrap and cannot connect to Device Management using their LwM2M credentials. For more information about the use of bootstrap and LwM2M in Device Management, see device onboarding and connection options.
Using the API
Use /v3/trusted-certificates/{cert_id} PUT API to blacklist or enable a blacklisted certificate by changing the certificate's status.
For example:
curl -X PUT https://api.us-east-1.mbedcloud.com/v3/trusted-certificates/{cert_id} \
-H 'Authorization: Bearer <api_key>' \
-H 'content-type: application/json' \
-d {"status": "INACTIVE"}
Using Device Management Portal
To blacklist (inactivate) a certificate:
- Log in to Device Management Portal as an administrator.
- From the side menu, select Device identity > Certificates.
- From the list of certificates, select the certificate that you want to blacklist. This opens a pane on the right-hand side with the details of the selected certificate.
- Click Blacklist. This opens the Blacklist a trusted certificate window.
- Click Blacklist certificate. You can see that the status of the certificate is now Inactive.
To enable (activate) a blacklisted certificate:
- Log in to Device Management Portal as an administrator.
- From the side menu, select Device identity > Certificates.
- From the list of certificates, select the certificate that you want to blacklist. This opens a pane on the right-hand side with the details of the selected certificate.
- Click Enable. This opens the Activate a trusted certificate window.
- Click Activate certificate. You can see that the status of the certificate is now Active.