IoT certificate manager

Use cases

Certificate renewal

When an X.509 certificate is created, you shall define the validity period. The recommended validity period  of a device certificate has dramatically changed in the last years. While in the past a validity period of 10 years was acceptable with the main purpose to decrease the operational effort to renew it, nowadays because of the tremendous increase in cyber attacks,  it is widely recognized by security experts that validity should not exceed 1 year, even for businesses that are not dealing with sensitive data. Regulation authorities are now moving to even shorter periods, close to 3 months, to further improve security levels. 

With these recommendations,  constantly extending the certificate validity on each device is a tremendous effort that cannot be addressed manually even for small fleets of hundreds of devices with a validity period of 12 months.

With IoT Certificate Manager you can:

• extend the validity period, once, for all devices listed using the  /ztp/devicecertificate/renew API. The new  certificate, with an extended lifetime, will have a new serial number, keeping the same Common Name

• Extend the validity period automatically before the expiration, by setting the proper option in the /ztp/rootca/create API when creating the Root CA or updating the setting at a later stage with /ztp/rootca/update API. Remember that the renewal happens at the next Security  heartbeat of the device.

Note: with renewal the  new certificate use the same key pair (private and public keys, that are unique for each device) generated during the initial Zero Touch Provisioning. If you also want to replace the key pair, you need to update the certificate as explained in the next section.

The certificate renewal API implements generation, signature and provisioning in the device of the new certificate. If you are using Azure or AWS and the configurations suggested in our guides, the re-provisioning of the new certificate in those platforms happens automatically at every renewal without the need to implement any additional logic.

The previous certificate is automatically removed from the device but not from the IoT platform.

Each certificate renewal is counted as a billing event, only when the renewal effectively happens in the device, and is charged accordingly to your plan.

Note: if you need to manually force the certificate renewal triggering a security heartbeat on the device (after having issued the /ztp/devicecertificate/renew),  it is suggested to wait at least 5 mins before checking the new certificate because of the protection mechanism implemented to prevent flooding (see Security Heartbeat section on Getting started guide)

Update certificate

If your device certificate has been compromised or you want an enhanced level of security, you can update the device certificate with /ztp/devicecertificate/update API that triggers the automatic generation of:

• the new keypair (private and public key) 

• the  device certificate generation and signing

• the device certificate provisioning in the device

The API can be applied to a list of devices at the same time, and triggers the whole re-provisioning process as described for certificate renewal.  

Note: the update procedure needs two Security Heartbeat. The new certificate is provisioned after the second Heartbeat 

Note: as for the  certificate renewal  it is suggested to wait at least 5 mins , before checking the new certificate, in case you need to manually force the certificate renewal with a a security heartbeat on the device(see Security Heartbeat section on Getting started guide)

Each certificate update is counted as a billing event, only when the update effectively happens in the device, and is charged accordingly to the selected plan.

Delete certificate

If you no longer need the certificate in the device, you can maintain security by removing it for free, using the /ztp/devicecertificate/delete API. 

NOTE: this action does not remove the certificate from the IoT platform (Azure, AWS, etc.).

Replace Root CA certificate

There are some use cases where it is necessary to replace the Root CA certificate used to sign the device certificate.  For example:

• if the Root CA certificate has been compromised

• you are moving devices from test environment to production environment and you prefer to use different Root CA certificates for each environment

• the ownership of the device changes

• you are moving a device to a different IoT Platform

This action can be extremely complex and time consuming if performed on a significant number of devices, or when continuously done as part of a test-deployment process, because you need to repeat the whole process of certificate generation, signing and provisioning. 

By using the /ztp/devicecertificate/rootca/transfer API you can automate the entire procedure specifying the list of devices (using the RoTPublicUID identifier) that needs to be moved.

Each certificate transfer is counted as a billing event, only when the transfer effectively happens in the device, and is charged accordingly to the selected plan.

Certificate revocation

Certificate revocation is the action of invalidating the certificate before the scheduled expiration date so that it can no longer used by the device for authentication and (D)TLS sessions. A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational.

If you are using the certificate in sensitive business applications you may want a way to revoke that certificate to invalidate it immediately if you have the feeling that it is misused.  

To revoke a certificate

• use the /ztp/devicecertificate/revoke to invalidate it on Thingstream platform and and trigger its addition to the Revocation list (CRL)

• disable the certificate on your IoT platform

NOTE: certificate revocation does not remove the certificate in the device. This action can be performed using the previously described API.

Certificate revocation is not charged.

Certificate Revocation List

A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. CRL is a sort of backlist for certificates and is used by various endpoints (for example your IoT platform) to verify whether a certificate is valid and trustworthy.  

You can use the /ztp/rootca/crl/get API to get a list of the certificates revoked using the certificate revocation API. 

CRL is not subject to charging

Notifications

To keep device certificate lifecycle status under control  you can subscribe to the main events, like certification expiration and renewal,  using the dedicated webhook  /notification/webhook/create.

Notifications are not subject to charging

Invoicing

Invoices are raised on the 1st of each month and will include usage for any services configured via the Thingstream platform. Only completed subscriptions will be included so a plan which starts on 5th May, renewing on 5th June, would be included in the invoice raised on 1st July.  Any usage from the renewed plan would not be invoiced until 1st August.

Invoices are sent by email from accounts@thingstream.io.  Please add this address to your safe senders list to avoid invoices being lost in your junk folder.