IoT Edge Signing Certificate Upload
- Step 1 > In the create project screen, select 'Azure' as a profile.
- Step 2 > Click on the 'Attach Certificate for leaf device or edge module communication' checkbox.
- Upload Root/Intermediate CA certificate, an Intermediate CA key, and password if required.
- Step 3 > After the project creation process is complete, you could click on the project list, and the Azure project will open in a new temporary tab. The last field in the details section shows 'Yes' for the 'Attach Certificate for leaf device or edge module communication?' option. If you click on the expand () icon on the right side, the certificate's details for this project could be seen below. Information like Valid from, Valid Till, Issuer Details, Serial number, Signature algorithm, etc., are shown for the certificate. The certificate content also can be seen in this section.
Device CA Certificate Generation
- Step 1 > User deploys Azure IoT Edge application instance(s) on an edge node(s). The user initiates deployment either individually or as part of auto-deployment using the 'App Policy' in a project.
- Step 2 > User can indicate to ZEDEDA Cloud if it wants ZEDEDA Cloud to generate Device CA certificates by using specific system variables in cloud-config. Please refer to <insert link here> about the general use of system variables in the edge application's custom configuration.
IoTEdge runtime will expect a Device CA certificate if this flag is set to true.
Generate device CA certificate signed by root or intermediate CA certificate.
Generate private key for device CA certificate.
ZEDEDA Cloud generates a 'Device CA Certificate' pair signed by 'IoTEdge Signing Certificate'.
- Step 3 > ZEDEDA Cloud includes Device CA Certificate, Device CA Key generated in previous step and public part of IoTEdge signing certificate in the cloud-config and sends it to EVE-OS.
- Step 4 > The edge application instance (Azure module) detailed view shows the details of the Device CA certificate in use.
- Step 1 > The user sees the expiry message on the ZEDEDA GUI and clicks on the 'Update Certificate' button on the project details page.
- Step 2 > The certificate manager takes that command and sends a request to the Device CA service for a new certificate.
- Step 3 > The Device CA sends a renewed CA certificate to the certificate manager.
- Step 4 > The certificate manager queries external KeyStore, extracts metadata for that certificate, and stores it in the appropriate database. The certificate manager also saves the key and certificate in a secure store.
- Step 5 > The certificate manager then sends the device CA (Public + Private) keys to the concerned edge node(s) on which the Azure module has been deployed.
Certificate Management Use Cases
The Device CA Certificate is About to Expire
- Project detail view
- Application Instance detail view
The Device CA Certificate has Expired
The Intermediate Certificate Expiry
- About to Expire
- Already Expired
IoT Edge Signing Certificate Expiry
- Step 1 > ZEDEDA Cloud certificate manager monitors the metadata of the certificates.
- Step 2 > It triggers action 30 days ahead of expiration:
- It generates a new certificate.
- It notifies ZEDEDA Cloud microservice responsible for using the certificate.
- User microservice figures out all the application Instances signed by this intermediate certificate and maintains this information for all the App Instances.
- Step 3 > The ZEDEDA GUI polls for an application instance, ZEDEDA Cloud indicates that certificate expiry is coming up, and the ZEDEDA GUI prompts an update/refresh with a new certificate.
- Step 4 > When a customer updates, ZEDEDA Cloud repeats the process with the new 'IoT Edge Signing Certificate'.
Compromised Intermediate Certificate
Step 1 > The user uploads a new intermediate CA certificate and re-generates the device CA certificate with this new Intermediate CA certificate for all the edge nodes running the IoT edge runtime application.
Step 2 > The user uploads the Intermediate CA certificate in the project configuration.
Step 3 > ZEDEDA Cloud prompts the user to perform a force update of the application instance(s) for the given project.
Step 4 > Upon performing force update,ZEDEDA Cloud creates new user data with a newly generated Device CA certificate for the application Instances and notifies EVE-OS to purge and restart the application Instances.
Compromised Device CA Certificate
Step 1 > The user regenerates the Device CA certificate and pushes it to the edge node.
Step 2 > Click on “Purge and Refresh” from the application Instance action menu.
Step 3 > ZEDEDA Cloud automatically regenerates the device CA certificate at every 'Purge and Refresh'.
Step 4 > ZEDEDA Cloud creates new user data with the newly generated Device CA certificate and pushes it to EVE-OS to purge and restart the application instance.
Fetch the updated details from the edge application (if any)
Regenerates the user data (Certificate regeneration, if configured)
Issues purge operation for the purgeable drives (Volumes)