Key Stores

With the Key Stores feature a user can remotely manage the cryptographic keys and certificates used by the device from Everyware Cloud. A Key Store represents a container for such keys and certificates; a device can have multiple key stores, each key store having a list of keys and certificates entries.

Devices may use cryptographic keys and certificates for several purposes. For example a device can have a SSLKeystore that contains the trusted certificate with the public key used to establish the secure MQTTS connection to Everyware Cloud or a DMKeystore that contains the trusted certificate with the public key used to validate the device management requests sent by Everyware Cloud to the device. A device can have a HttpKeystore that contains the certificates for the private/public key pair used by the device to accept secure https connections.

To list the entries of all the key stores managed by a device, go to the Device view, select the device and select the Keystore tab. The list of all the entries is displayed.

Each entry reports the following information:

Keystore Id

A string that identifies the store of the entry

Alias

Alias that identifies the entry within the store

Type

Type of the entry. For example:
TRUSTED_CERTIFICATE. This type of entry contains a single public key certificate. The owner of the store trusts that the public key contained in the certificate belongs to the owner (subject) of the certificate
PRIVATE_KEY. This type of entry contains a cryptographic private key plus a certificate chain for the corresponding public key

Algorithm

Algorithm used to generate the key pairs or to generate the signature

Size

Size in bytes

📘

If the device does not support the Key Stores feature, then the corresponding tab in the Device view is disabled or not visible.

Detailed informations regarding a specific entry can be obtained by selecting the row and pressing the Details button:

Add new Items to a Key Store

You can add new certificates or key pairs to the device by pressing the Add button; the type of the new entry can be one of the following options:

  • Certificate Raw. Use this option to add a TRUSTED_CERTIFICATE entry by providing the certificate in PEM format
  • Certificate. Use this option to add a TRUSTED_CERTIFICATE entry by selecting the certificate from the Everyware Cloud Certificate Service
  • Key Pair. Use this option add a new PRIVATE_KEY entry. The device will first generate the private and the public key and then store them.

📘

Key stores cannot be added remotely from within EC. Refer to ESF user guide for more details regarding creation of new Key stores.

Certificate Raw

Select the key store of the certificate and assign it an alias. In the certificate box enter the certificate in PEM format.

Press the Submit button to send to the device the request to store the new entry.

Certificate

Select the key store of the certificate and assign it an alias. In the Certificate Info box select the a certificate from the drop down list.

Press the Submit button to send to the device the request to store the new entry.

Key Pair

Press the Add button and select Keypair option. Fill the data required in the dialog that pops up. For ESF devices, check the guide for a list of supported algorithms and signing algorithms. In the Attributes box enter the comma separated list of the attributes required, for example:

  • CN=<Common Name>, OU=<Organizational Unit>, O=<Organization Name>, C=<Country>

Press the Submit button to send to the device the request to generate and store the new private key entry.

Create a CSR (Certificate Signing Request)

You can get a Certificate Signing Request (CSR) from a key pair in a key store. Select the private key entry and press the CSR button. Enter the signature algorithm. For ESF devices, check the guide for the list of supported signing algorithms. In the Attributes box enter the comma separated list of the attributes required, for example:

  • CN=<Common Name>, OU=<Organizational Unit>, O=<Organization Name>, C=<Country>

Press the Submit button to send to the device the request to create the CSR. The CSR will be sent back to Everyware Cloud in PEM format with the response.

The CSR is ready to be submitted to a Certification Authority for signing.

Delete a Certificate

Select the entry that you want to delete then press the Submit button to send the deletion request to the device.

Add or Delete Items using Jobs

Through the Device Jobs functionality you can execute the following Key Store operations over a fleet of devices:

  • Certificate entry creation
  • Key pair entry creation
  • Entry deletion

To create and schedule a Job see the Job Documentation. During the step configuration you can assign one of the operations above to the step.

Certificate entry creation

Key pair entry creation

Entry deletion

Check Key Store Configuration

You can check the details of a key store component configuration (e.g. the SSLKeystore component configuration) from the Configurations tab of the device. Select the Configurations tab and search a component configuration that matches the id of the keystore (e.g. SSLKeystore).