Re: [hono-dev] Questions regarding Certificate Based Authentication in H

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono

From: "Poehn Sebastian (INST/ECS4)" <Sebastian.Poehn@xxxxxxxxxxxx>
Date: Mon, 14 May 2018 16:01:04 +0000
Accept-language: en-US, de-DE
Delivered-to: hono-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/hono-dev>
List-help: <mailto:hono-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AdPriML0VlTwldXNRe6piHomQFTAhf//6TcA///IbVA=
Thread-topic: [hono-dev] Questions regarding Certificate Based Authentication in Hono

Thanks for that prompt reply.

>> In addition I have some advanced questions:
>> * As of now trusted-ca contains one certificate. How can an expiry of 
>> the CA certificate be handled (as one would like to rotate the public key too)?
>
>Currently, that is not possible. We will need to allow for the configuration of multiple root CA certs, having the same subject DN but different (overlapping) validity periods. The protocol adapters should then get all (currently) valid public keys for validating the device's client certificate in the TLS handshake.

That sounds like a good approach to me. And the additional benefit would be that if this information is present in the tenant object, one could build some functionality that checks for upcoming expiry of certificates.

>> * Is it required to import the CA certificates to the Java trust store 
>> in addition to the tenant API?
>
>No, that is not necessary. In particular, it is not necessary to restart the protocol adapters in order to enable client cert based auth for a tenant.

>> * Is it possible to use a sub CA for the trusted-ca if a certificate 
>> hierarchy with multiple CAs is used (e.g.  Root CA <-> Sub CA A <-> 
>> Sub CA A1 <-> Device)
>
>I am not sure if I understand the question. For your example to work, you will need to register Sub CA A1 as the trusted root CA certificate for the tenant.

Yes, that was my intention. By the way, this will be another use-case for the multi trusted-ca feature. Then one could just add the CA A2, CA B1 and CA B2 in addition for this tenant. 

>> * What about certificates contained in the Java trust store? Is it 
>> possible to omit the public-key for those?
>
>If the question is if you can also device certificates that have been signed by one of the standard root CAs contained in the Java key store, then the answer is:
>No.
>
>But I also do not see the use case for it as it would require that every tenant uses device certs signed by a different standard root CA ...

Yes, totally agree with you.

Follow-Ups:
- Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
  - From: Poehn Sebastian (INST/ECS4)

References:
- [hono-dev] Questions regarding Certificate Based Authentication in Hono
  - From: Poehn Sebastian (INST/ECS4)
- Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
  - From: Hudalla Kai (INST/ECS4)

Prev by Date: Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
Next by Date: Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
Previous by thread: Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
Next by thread: Re: [hono-dev] Questions regarding Certificate Based Authentication in Hono
Index(es):
- Date
- Thread

Breadcrumbs