NavigationContentFooter
Suggest an edit

How to provide your own Certificate Authority

Reviewed on 27 December 2023Published on 01 September 2019

When creating a hub, a Certificate Authority will be automatically created and a certificate will be issued for each device subsequently added. However, you can opt for the hub to use a custom Certificate Authority (CA), to enable more complex scenarios.

Before you start

To complete the actions presented on this page, you must have:

Important
  • If the hub’s Certificate Authority (CA) is changed to a custom one, this action is definitive. It is not possible to reinstate the original Scaleway-managed PKI at a later point.
  • If a hub has devices, their certificates will be deleted. This means that to connect again using mTLS, new certificates must be generated for each device, and signed by the provided Certificate Authority.
Requirements
  • You have an account and are logged into the Scaleway console
  • You have created an IoT Hub

When using a custom Certificate Authority, devices must present the whole certificate chain, including the Certificate Authority. Failing to present the complete chain will result in a disconnection during the TLS handshake. Devices are identified by the Common Name (CN) taken from the device certificate. If a device with the same name does not exist inside the target hub, it will be disconnected unless device auto-provisioning is configured (see the next section).

Switching to a custom Certificate Authority has several benefits:

  • It allows for greater flexibility, by allowing different key sizes & algorithms.
  • It enables industrial usage.
Note

As a security measure to protect certificates, Scaleway does not have access to private keys of custom Certificate Authorities. Therefore, the hub will not issue certificates for a custom Certificate Authority.

Important

To change your hub Certificate Authority, you must disable your hub.

  1. Click IoT Hub in the Managed Services section of the side menu. The list of your IoT Hubs displays.

  2. Click the name of the IoT Hub on which the Certificate Authority should be installed. The hub’s overview page displays.

  3. Prepare the CA certificate and a proof of possession certificate.

    A proof of possession is needed to prove that you own that Certificate Authority and possess its private key, without sending the private key over the network. This helps to protect the CA certificate from being reused by malicious actors after a hub has been deleted, as certificates alone are public by nature.
    To generate a proof of possession, sign a certificate that has the target Hub ID (that looks like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) as Common Name using the CA certificate.

  4. Scroll to the Add a Certificate Authority section of the page. Then click Replace Certificate Authority.

  5. Upload your CA certificate pem file and your verification (proof of possession) certificate pem file.

  6. Click Replace certificate authority to complete the replacement.

  7. Re-enable your hub to activate the replaced Certificate Authority.

    Important

    Once the CA is uploaded, all existing devices will have their Scaleway certificates deleted, as they will not match the newly installed Certificate Authority. You will need to generate new certificates on your side to be able to connect your devices again.

See also
How to enable or disable an IoT HubHow to add a device
Cloud Products & Resources
  • Scaleway Console
  • Compute
  • Storage
  • Network
  • IoT
  • AI
Dedicated Products & Resources
  • Dedibox Console
  • Dedibox Servers
  • Network
  • Web Hosting
Scaleway
  • Scaleway.com
  • Blog
  • Careers
  • Scaleway Learning
Follow us
FacebookTwitterSlackInstagramLinkedin
ContractsLegal NoticePrivacy PolicyCookie PolicyDocumentation license
© 1999-2024 – Scaleway SAS