2. IoT Edge Signing Certificate Upload
- Step 1 > In the create project screen, select 'Azure' as a profile.
- Step 2 > Click on the 'Attach Certificate for leaf device or edge module communication' checkbox.
- Upload Root/Intermediate CA certificate, an Intermediate CA key, and password if required.
- Step 3 > After the project creation process is complete, you could click on the project list, and the Azure project will open in a new temporary tab. The last field in the details section shows 'Yes' for the 'Attach Certificate for leaf device or edge module communication?' option. If you click on the expand () icon on the right side, the certificate's details for this project could be seen below. Information like Valid from, Valid Till, Issuer Details, Serial number, Signature algorithm, etc., are shown for the certificate. The certificate content also can be seen in this section.
3. Device CA Certificate Generation
- Step 1 > User deploys Azure IoT Edge application instance(s) on an edge node(s). The user initiates deployment either individually or as part of auto-deployment using the 'App Policy' in a project.
- Step 2 > User can indicate to ZedControl if it wants ZedControl to generate Device CA certificates by using specific system variables in cloud-config. Please refer to <insert link here> about the general use of system variables in the edge application's custom configuration.
IoTEdge runtime will expect a Device CA certificate if this flag is set to true.
Generate device CA certificate signed by root or intermediate CA certificate.
Generate private key for device CA certificate.
ZedControl generates a 'Device CA Certificate' pair signed by 'IoTEdge Signing Certificate'.
- Step 3 > ZedControl includes Device CA Certificate, Device CA Key generated in previous step and public part of IoTEdge signing certificate in the cloud-config and sends it to EVE-OS.
- Step 4 > The edge application instance (Azure module) detailed view shows the details of the Device CA certificate in use.
4. Certificate Renewal
- Step 1 > The user sees the expiry message on the ZedUI and clicks on the 'Update Certificate' button on the project details page.
- Step 2 > The certificate manager takes that command and sends a request to the Device CA service for a new certificate.
- Step 3 > The Device CA sends a renewed CA certificate to the certificate manager.
- Step 4 > The certificate manager queries external KeyStore, extracts metadata for that certificate, and stores it in the appropriate database. The certificate manager also saves the key and certificate in a secure store.
- Step 5 > The certificate manager then sends the device CA (Public + Private) keys to the concerned edge node(s) on which the Azure module has been deployed.
5. Certificate Management Use Cases
5.1. The Device CA Certificate is About to Expire
Project detail view
Application Instance detail view
5.2. The Device CA Certificate has Expired
Project Detail View
Edge Application Detail View
5.3. The Intermediate Certificate Expiry
5.4. IoT Edge Signing Certificate Expiry
- Step 1 > ZedControl certificate manager monitors the metadata of the certificates.
- Step 2 > It triggers action 30 days ahead of expiration:
- It generates a new certificate.
- It notifies ZedControl microservice responsible for using the certificate.
- User microservice figures out all the application Instances signed by this intermediate certificate and maintains this information for all the App Instances.
- Step 3 > ZedUI polls for an application instance, ZedControl indicates that certificate expiry is coming up, and ZedUI prompts an update/refresh with a new certificate.
- Step 4 > When a customer updates, ZedControl repeats the process with the new 'IoT Edge Signing Certificate'.
5.5. Compromised Intermediate Certificate
Step 1 > The user uploads a new intermediate CA certificate and re-generates the device CA certificate with this new Intermediate CA certificate for all the edge nodes running the IoT edge runtime application.
Step 2 > The user uploads the Intermediate CA certificate in the project configuration.
Step 3 > ZedControl prompts the user to perform a force update of the application instance(s) for the given project.
Step 4 > Upon performing force update, ZedControl creates new user data with a newly generated Device CA certificate for the application Instances and notifies EVE-OS to purge and restart the application Instances.
5.6. Compromised Device CA Certificate
Step 1 > The user regenerates the Device CA certificate and pushes it to the edge node.
Step 2 > Click on “Purge and Refresh” from the application Instance action menu.
Step 3 > ZedControl automatically regenerates the device CA certificate at every 'Purge and Refresh'.
Step 4 > ZedControl creates new user data with the newly generated Device CA certificate and pushes it to EVE-OS to purge and restart the application instance.
Fetch the updated details from the edge application (if any)
Regenerates the user data (Certificate regeneration, if configured)
Issues purge operation for the purgeable drives (Volumes)