How to provide your own Certificate Authority
When creating a Hub, a Certificate Authority will be automatically created and a certificate will be issued for each device subsequently added. However, you can opt for the Hub to use a custom Certificate Authority (CA), to enable more complex scenarios.
- If the Hub’s Certificate Authority is changed to a custom one, this action is definitive. It is not possible to reinstate the original Scaleway-managed PKI at a later point.
- If a Hub has devices, their certificates will be deleted. This means that to connect again using mTLS, new certificates must be generated for each device, and signed by the provided Certificate Authority.
When using a custom Certificate Authority, devices must present the whole certificate chain, including the Certificate Authority. Failing to present the complete chain will result in a disconnection during the
TLS handshake. Devices are identified by the Common Name (CN) taken from the device certificate. If a device of the same name does not exist inside the target Hub, it will be disconnected unless device auto-provisioning is configured (see the next section).
Switching to a custom Certificate Authority has several benefits:
- It allows for greater flexibility, by allowing different key sizes & algorithms.
- It enables industrial usage.
As a security measure to protect certificates, Scaleway does not store the private keys of custom certificate authorities. Therefore the Hub will not issue certificates for a custom Certificate Authority.
To change your Hub Certificate Authority, you must disable your Hub.
Click IoT Hub in the IoT Station section of the side menu. The list of your IoT Hubs displays.
Click the name of the IoT Hub on which the Certificate Authority should be installed. The Hub’s overview page displays.
Prepare the CA certificate and a proof of possession certificate.
A proof of possession is needed to prove that you own that Certificate Authority and possess its private key, without sending the private key over the network. This helps to protect the CA certificate from being reused by malicious actors after a hub has been deleted, as certificates alone are public by nature.
To generate a proof of possession, sign a certificate that has the target Hub ID (that looks like
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) as Common Name using the CA certificate.
Scroll to the Add a Certificate Authority section of the page. Then click Replace Certificate Authority.
Upload your CA certificate
pemfile and your verification (proof of possession) certificate
Click Save to complete the replacement.
Re-enable your Hub to activate the replaced Certificate Authority.
Once the CA is uploaded, all existing devices will have their Scaleway certificates deleted, as they won’t match the newly installed Certificate Authority. You will need to generate new certificates for those devices for them to be able to connect again.