Everyware Cloud deploys a Certificate Registry Service. This service allows users to manage the certificates required by other Everyware Cloud services to accomplish their job. A certificate is characterized by one or more usages. There are currently two usages supported by the platform (more usages may be supported in future releases):
- JSON Web Token (JWT) signing
- Control message signing
- TLS Mutual Authentication
Within Everyware Cloud JWT tokens are used during the authentication phase. JWT tokens are an industry standard specified by RFC 7519.
According to the specification, JWT tokens are a compact, URL-safe means of representing claims to be transferred between two parties. For example, a client app needs a token to get access the RESTful API; see section REST API for more details about using JWT tokens with the RESTful API.
Control message signing is a Everyware Cloud security functionality that is used by device management operations to guarantee that the identity of the EC instance issuing the management operation is valid and that the content of the related request message has not been tampered by a third, possibly malicious, party. See Gateway Management for more details regarding device management operations.
TLS Mutual Authentication certificates are used to establish a mutually authenticated TLS connection between the device (e.g. ESF) and Everyware Cloud. In order to implement this type of TLS connection, the platform holds the CA certificates or CA intermediate certificates that are need to validate the client certificate sent by the device during TLS handshake.
A fresh installation comes the default ec-sys root account defined. The root account has two certificates associated:
- Default JWT certificate: used by the AuthenticationService on login to sign the token in the Access Token.
- Default Device Management certificate: used by all of the Device Management Services to sign messages sent to a ESF-enabled device.
By default these two default certificates have the forwarded property enabled so that the certificates are inherited by all the child accounts. The root account administrator users have permissions to manage these certificates and can change them at any time.
Certificates View lists all the available certificates. By clicking on a certificate entry the Description tab will show detailed informations regarding the certificate. The Certificate Tree tab will show certificate hierarchy for the cases when the certificate has a certificate authority.
Removing/Suspending/Revoking a JWT Certificate
Each account must have a valid JWT certificate in order to let Everyware Cloud authenticate accesses. While managing certificates be careful since removing/disabling them may have severe impacts for other users.
Account administrator can add new certificate entries from Everyware Cloud console. To create a new certificate entry, click the Add button in the Certificates section to open the New Certificate dialog as shown in the following screen capture.
The following table defines the Certificate Information for new certificates.
Must be at least 3 characters and can contain alphanumeric characters combined with dash and/or underscore.
Select one or more options
Check if the certificate has to be available for child accounts as well.
Select the certificate authority if any otherwise leave this field empty
Copy paste the private key for the certificate
Password used to decrypt the private key. If the private key is not encrypted leave the field empty.
Copy paste the public certificate
If there is already another valid certificate of the same usage, the new certificate entry will be added in status suspended.
To make changes to an existing certificate, select the certificate from the Certificates view and then click Edit.
To delete an existing certificate, select the certificate from the Certificates view and then click Delete.
Updated 5 months ago