Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono 
On Mon, 2018-05-14 at 13:38 +0000, Poehn Sebastian (INST/ECS4) wrote:
> Hello Hono project
> 
> I just had a look on the upcoming support for certificate based authentication
> in 0.6. This looks perfectly built for our purposes. Very good work, really
> looking forward for 0.6 release so we can use this cool new feature.
> 

Hope it will work for you :-)

> Sadly there is no comprehensive Getting Started or User Guide for this
> particular feature yet.
> 
> So I will summarize how I interpreted the pieces I have discovered:
> 
> * Setup cert based authentication for a tenant
> Import the CA certificate's public key and subject DN for the tenant
> https://www.eclipse.org/hono/api/tenant-api/#trusted-ca-format
> 
> * Setup cert based authentication for a device
> Create a credential object with:
> "type": "x509-cert"
> "auth-id": Subject DN of the device specific certificate
> https://www.eclipse.org/hono/api/credentials-api/#x-509-certificate
> 

Exactly. See, no comprehensive guide needed ;-) We have smart users ...

> Next I was wondering how the authentication/authorization workflow is:
> 
> 1) Device establishes connection to Protocol Adapter, including the device
> certificate
> 2) Protocol Adapter extracts the certificate Issuer DN
> 3) Protocol Adapter performs lookup on tenant API for the DN (subject-dn)
> 4) Tenant API returns the tenant, including the CA cert's public key
> 5) Protocol Adapter verifies the device certificate against the CA cert's
> public key
> 6) Protocol Adapter extracts the certificate Subject DN
> 7) Protocol Adapter performs lookup on credentials API for the DN (auth-id)
> 8) Credentials API returns the credentials
> 9) Now the device-id is known and verified

Correct.

> 
> In addition I have some advanced questions:
> * As of now trusted-ca contains one certificate. How can an expiry of the CA
> certificate be handled (as one would like to rotate the public key too)?

Currently, that is not possible. We will need to allow for the configuration of
multiple root CA certs, having the same subject DN but different (overlapping)
validity periods. The protocol adapters should then get all (currently) valid
public keys for validating the device's client certificate in the TLS handshake.

> * Is it required to import the CA certificates to the Java trust store in
> addition to the tenant API?

No, that is not necessary. In particular, it is not necessary to restart the
protocol adapters in order to enable client cert based auth for a tenant.

> * Is it possible to use a sub CA for the trusted-ca if a certificate hierarchy
> with multiple CAs is used (e.g.  Root CA <-> Sub CA A <-> Sub CA A1 <-> Device)

I am not sure if I understand the question. For your example to work, you will
need to register Sub CA A1 as the trusted root CA certificate for the tenant.

> * What about certificates contained in the Java trust store? Is it possible to
> omit the public-key for those?

If the question is if you can also device certificates that have been signed by
one of the standard root CAs contained in the Java key store, then the answer is:
No.

But I also do not see the use case for it as it would require that every tenant
uses device certs signed by a different standard root CA ...

> 
> Best regards
> Sebastian Pöhn
> 
> _______________________________________________
> hono-dev mailing list
> hono-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/hono-dev

Back to the top