Device Authentication with PKI Tutorial

In this tutorial, you will create a Murano Product and demonstrate how a custom Certificate Authority (CA) can be configured for it. You will then provision a device with a client side certificate signed by the configured Certificate Authority. Finally, you will connect the device to Murano once again and successfully authenticate with the signed client side certificate.

Requirements

Hardware Setup

This tutorial does not require hardware. It assumes developers will use command line CURL commands or implement in a language of choice using HTTP client library commands.

Software Setup

To complete this tutorial, you will need:

Create a product

Assuming that you already have a business created, open the Solutions page, click on the +NEW SOLUTION button and select Add a Product from the dropdown box to create a new product. Or, if you don't already have products, you may click on the ADD PRODUCT button to do the same.

image alt text

In the dialog that opens up, give your product a name and leave everything else blank or at their defaults. Click ADD.

image alt text

Navigate to your newly created product's Settings page and check the box next to Enable Client CA Certificate:

image alt text

This will reveal a text box titled Add Client CA Cert Here. That is where you have to paste your Client CA Certificate in PEM format.

image alt text

In the Provisioning section of Settings, select the TLS Client Certificate authentication method and leave everything else at their defaults.

image alt text

Now, click the SAVE button in the upper right corner to commit your changes to your product's settings.

image alt text

At this point, you have successfully created a product, configured to use the TLS Client Certificate authentication method and configured a Client CA Certificate.

Provision and authenticate a device

In the previous session, we left the Enable Provisioning and Allow devices to register their own identity options selected. Because of that, we don't need to explicitly whitelist a device for provisioning. The device can simply connect to Murano with its client side certificate provided and Murano will automatically save the device's identity (Common Name extracted from the certificate) and certificate for subsequent authentication. On top of that, devices using TLS Client Certificate authentication, do not need to explicitly call the activate endpoint to get provisioned. Instead, they can start sending data on their first connection.

In order for a device to write data to Murano, the product endpoint needs to be known. While on the product page, click the ID icon in the top left. This will copy the product ID onto the clipboard.

image alt text

Then, issue the following command using the just copied product ID pasted in place of product-endpoint. For the --cert and --key options, respectively use the client side certificate signed by the configured Client CA Certificate and its private key. (The process of signing the certificate is outside the scope of this tutorial.)

  curl -v \
    -X POST https://<product-endpoint>.m2.exosite.io/onep:v1/stack/alias \
    --cert ./client.crt \
    --key ./client.key \
    -d temp=50

The above command has now provisioned the device and wrote the value 50 with the alias "temp". Murano has verified that the provided certificate had been signed by the Client CA Certificate that is configured for this product.

Authenticate a device

Issuing the same command subsequently, will cause Murano to use the client certificate to identify (by extracting the Common Name) and authenticate the device (by verifying that the client certificate has been issued by the configured Client CA Certificate and by checking whether the provided certificate has been associated with the connecting device in Murano's database).