- If the hub’s Certificate Authority (CA) is changed to a custom one, this action is definitive. It is not possible to reinstate the original Scaleway-managed PKI at a later point.
- If a hub has devices, their certificates will be deleted. This means that to connect again using mTLS, new certificates must be generated for each device, and signed by the provided Certificate Authority.
- Account & Billing
- Account
- Concepts
- Quickstart
- FAQ
- How to
- Create an account
- Verify your identity
- Sign in with a magic link
- Change the language
- Switch from a personal to a corporate account
- Switch the color scheme of the console
- Configure support plans
- Enforce multifactor authentication
- Use multifactor authentication
- Recover a lost password
- Open a support ticket
- Manage my personal information (GDPR)
- Close an account
- Additional Content
- Troubleshooting
- Billing
- Account
- Security & Identity
- Organizations and Projects
- IAM
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- API/CLI
- Videos
- Secret Manager
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- API/CLI
- Compute
- Instances
- Concepts
- Quickstart
- FAQ
- How to
- Create an Instance
- Create a Block Storage volume
- Manage Block Storage volumes
- Connect to an Instance
- Use flexible IPs
- Move an Instance to routed flexible IPs
- Use Security Groups
- Use Private Networks
- Configure reverse DNS
- Send emails from your Instance
- Use placement groups
- Create an image
- Create a snapshot
- Create an image from a snapshot
- Use the snapshot import/export feature
- Migrate Instances
- Use standby mode
- Use boot modes
- Protect an Instance
- Power off an Instance
- Use the serial console
- Delete an Instance
- API/CLI
- Scaleway CLI Cheatsheet
- Creating and Managing Instances
- Creating a volume via the Instance API
- Attaching a volume via the Instance API
- Increasing volumes via the Instance API
- Detaching a volume via the Instance API
- Creating backups
- Changing the commercial type of an Instance
- Using the import/export feature (API)
- Managing Instance snapshots with the CLI (v2)
- Using routed IPs
- Using cloud-init
- Using placement groups
- Additional Content
- Choosing an Instance type
- Instances datasheet
- The right Instance for learning purposes
- The right Instance for development purposes
- The right Instance for production purposes
- The right Instance for workload purposes
- Understanding the differences between ARM and x86 Instances
- Understanding Instance pricing
- Preventing outgoing DDOS
- Configuring Instances manually on a Private Network
- Troubleshooting
- I can't connect to my Instance via SSH
- Rebooting from a faulty kernel
- Dealing with the end of life of the bootscript feature
- Fixing the user configuration of cloud-init on Debian 12
- Fixing lost IPv6 connectivity on Debian Buster when migrating to routed IP
- Fixing DNS resolution with a routed IPv6-only setup on Debian Bullseye
- Fixing unreachable IPv6 on RHEL based Instances after transition to routed ip
- Changing the rescue mode of Instances
- GPU Instances
- Concepts
- Quickstart
- How to
- Troubleshooting
- Additional Content
- Instances
- Bare Metal
- Apple silicon
- Elastic Metal
- Concepts
- Quickstart
- FAQ
- How to
- Create a server
- Install a server
- Connect to your server
- Order a flexible IP
- Attach/detach a flexible IP
- Configure a flexible IP (IPv4)
- Configure a flexible IP (IPv6)
- Configure a flexible IPv6 on a virtual machine
- Configure reverse DNS of a flexible IP
- Use Private Networks
- Enable SMTP
- Add a virtual MAC address
- Create a virtual MAC group
- Activate remote access
- Send metrics & logs to Cockpit
- View the event logs
- Use rescue mode
- Reboot a server
- Reinstall a server
- Shut down a server
- Get and use a loyalty reward
- Troubleshooting
- API/CLI
- Additional Content
- Dedibox
- Concepts
- Quickstart
- FAQ
- How to
- Order a Dedibox
- Install a Dedibox
- Connect to your Dedibox
- Order a failover IP
- Configure a failover IP
- Attach or detach a failover IP
- Configure reverse DNS of a failover IP
- Activate an IPv6 block
- Modify Dedibox options
- Use rescue mode
- Reinstall a Dedibox
- Terminate a Dedibox subscription
- Link an existing Dedibox account to Scaleway
- Additional Content
- Serverless
- Functions
- Concepts
- Quickstart
- FAQ
- How to
- Create a Functions namespace
- Manage a Functions namespace
- Create a function
- Test a function
- Package function dependencies in a zip-file
- Manage a function
- Add a trigger to a function
- Add a custom domain name to a function
- Create and manage an authentication token from the console
- Secure a function
- Delete a function
- Delete a Functions namespace
- API/CLI
- Troubleshooting
- Additional Content
- Functions lifecycle
- Functions limitations
- Functions runtimes configuration
- Methods to deploy Serverless Functions
- Functions local testing
- Functions use cases
- Code examples
- Considerations to configure event retention for SQS trigger inputs
- Serverless Functions billing
- Differences between Jobs, Functions and Containers
- Cron schedules reference
- Containers
- Concepts
- Quickstart
- FAQ
- How to
- Create a Containers namespace
- Manage a Containers namespace
- Deploy a container from Scaleway Container Registry
- Deploy a container from an external container registry
- Manage a container
- Add a custom domain to a container
- Modify container privacy
- Create and manage an authentication token from the console
- Secure a container
- Add a trigger to a container
- Delete a container
- Delete a Containers namespace
- API/CLI
- Troubleshooting
- Additional Content
- Jobs
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- Messaging and Queuing
- Concepts
- Quickstart
- FAQ
- How to
- API/CLI
- Additional Content
- SQL Databases
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- Troubleshooting
- Functions
- Containers
- Kubernetes
- Concepts
- Quickstart
- FAQ
- How to
- Create a Kapsule cluster
- Manage a Kapsule cluster
- Create a Kosmos cluster
- Manage a Kosmos cluster
- Connect to a cluster with kubectl
- Deploy an image from Container Registry
- Deploy an ingress controller
- Enable the Easy Deploy feature
- Monitor a Kapsule cluster with Cockpit
- Access the Kubernetes audit logs
- Access the Kubernetes dashboard
- Upgrade the Kubernetes version on a Kapsule cluster
- Use the NVIDIA GPU operator on Kapsule and Kosmos with GPU Instances
- Use the scratch storage on H100 GPU Instances with Kapsule
- Deploy x86 and ARM images in Kubernetes
- Enable or disable SSH
- Delete a cluster
- API/CLI
- Additional Content
- Introduction to Kubernetes
- Kubernetes Cheatsheet
- Kubernetes control plane offers overview
- Managed Kubernetes service definition
- Kubernetes version support policy
- Securing a cluster with Private Networks
- Ensuring resiliency with Multi-AZ clusters
- Exposing Kubernetes services to the internet
- Creating and configuring a Load Balancer service
- Using a Load Balancer with Ingress
- Managing Load Balancer IPs
- Using Load Balancer annotations
- Wildcard DNS routing
- Troubleshooting
- Videos
- Container Registry
- Kubernetes
- Storage
- Object Storage
- Concepts
- Quickstart
- FAQ
- How to
- Create a bucket
- Upload files into a bucket
- Edit the storage class
- Restore an object from Glacier class
- Download files from a bucket
- Manage object visibility
- Access objects via HTTPS
- Enable bucket versioning
- Manage lifecycle rules
- Monitor your consumption
- Set up a static website
- Use Object Storage with Private Networks
- Delete an object
- Delete a bucket
- API/CLI
- Using the Object Storage API
- Understanding common operations
- Understanding bucket operations
- Understanding object operations
- Using the AWS-CLI
- Installing MinIO Client
- Installing rclone
- Managing the lifecycle of objects
- Managing an Object Storage Lifecycle using CLI (v2)
- Managing multipart uploads
- Setting CORS rules
- Bucket policies overview
- Creating and applying bucket policies
- Combining IAM and bucket policies for granular access
- Setting up object lock
- Hosting static websites on a bucket
- Generating an AWSv4 authentication signature
- Migrating data from one bucket to another
- Adding objects to a bucket with POST
- Additional Content
- Troubleshooting
- Videos
- Block Storage
- Object Storage
- Managed Databases
- PostgreSQL and MySQL
- Concepts
- Quickstart
- FAQ
- How to
- Create a Database Instance
- Connect to a Database Instance
- Create a database
- Add users
- Manage permissions
- Manage allowed IPs
- Change the volume type
- Enable Autobackup
- Manage manual backups
- Manage snapshots
- Clone a Database Instance
- Configure advanced settings
- Renew a TLS certificate
- Upgrade a Database Instance
- Upgrade Database Instance engine version
- Connect a Database Instance to a Private Network
- Create Read Replicas
- Manage Read Replicas
- Delete a database
- Delete a Database Instance
- Additional Content
- API/CLI
- Troubleshooting
- Redis™
- Concepts
- Quickstart
- FAQ
- How to
- API/CLI
- Additional Content
- Document Databases
- Concepts
- Quickstart
- How to
- Create a Database Instance
- Connect to a Database Instance
- Create a database
- Add users
- Manage permissions
- Manage allowed IPs
- Enable Autobackup
- Manage snapshots
- Clone a Database Instance
- Configure advanced settings
- Renew a TLS certificate
- Upgrade a Database Instance
- Connect a Database Instance to a Private Network
- Create Read Replicas
- Manage Read Replicas
- Delete a database
- Delete a Database Instance
- API/CLI
- Additional Content
- Troubleshooting
- PostgreSQL and MySQL
- Network
- VPC
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- Troubleshooting
- Public Gateways
- Load Balancers
- Concepts
- Quickstart
- FAQ
- How to
- Create a Load Balancer
- Create frontends and backends
- Manage frontends and backends
- Add an SSL/TLS certificate
- Create and manage ACLs
- Create and manage routes
- Use a Load Balancer with a Private Network
- Set up an S3 failover
- Create and manage flexible IPs
- Monitor your Load Balancer with Scaleway Cockpit
- Delete a Load Balancer
- API/CLI
- Additional Content
- Troubleshooting
- Domains and DNS
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- VPC
- Observability
- Cockpit
- Concepts
- Quickstart
- FAQ
- How to
- API/CLI
- Additional Content
- Troubleshooting
- Cockpit
- Managed Services
- Transactional Email
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- Troubleshooting
- IoT Hub
- Concepts
- Quickstart
- FAQ
- How to
- Create a Hub
- Enable or disable a Hub
- Provide your own Certificate Authority
- Add a Device
- Provide your own device certificate
- Renew the certificate of a device
- Connect to the default MQTT network
- Connect to the default Websocket network
- Use the MQTT Webclient
- Set up and use a REST network
- Set up and use a Sigfox network
- Create a route
- Simulate events
- Understand event messages
- Triggering functions from IoT Hub messages
- View metrics
- Enable auto-provisioning
- Change the product plan
- Delete a Route
- Delete a Device
- Delete a Hub
- API/CLI
- Additional Content
- Web Hosting
- Concepts
- Quickstart
- How to
- Additional Content
- Transactional Email
- Developer Tools
- Scaleway CLI
- Scaleway SDKs
- Terraform
- Quickstart
- Additional Content
- Labs
- IPFS Pinning
- Concepts
- Quickstart
- How to
- Additional Content
- API/CLI
- IPFS Naming
- IPFS Pinning
- Dedibox Console
- Dedibox Account
- Concepts
- Quickstart
- How To
- Create a Dedibox account
- Add a payment method
- Enable multifactor authentication
- Disable multifactor authentication
- Update your password
- Update your account email
- Upload an SSH key
- Outsource a Dedibox
- Oursource a failover IP
- Accept outsourcing
- Revoke outsourcing
- Contact the support team
- Report an incident
- Resolve abuse
- Manage privacy data settings
- Recover the password in case of a lost email account
- Classic Hosting
- Concepts
- Quickstart
- How to
- Create an FTP account
- Change the password of an FTP account
- Connect via FTP
- Delete an FTP account
- Create an email account
- Change the password of an email account
- Delete an email account
- Check the emails
- Configure Outlook
- Create an alias
- Encrypt your emails with PGP using the Scaleway webmail
- Retrieve the header of an email
- Manage email filters
- Solve email account connection problems
- Configure an htaccess file
- Configure PHP
- Create a MySQL database
- Change the password of a MySQL database
- Delete a MySQL database
- Manage a MySQL database with phpMyAdmin
- Create a PostgreSQL database
- Change the password of a PostgreSQL database
- Delete a PostgreSQL database
- Manage a PostgreSQL database with Adminer
- Create an email redirection
- Delete an email redirection
- Create an email transfer
- Delete an email transfer
- Access the logcenter
- Access the website statistics
- Enable HTTPS
- Create a subdomain
- Delete a subdomain
- Configure the backup option
- cPanel Hosting
- Dedibox Account
- Dedibox Servers
- Dedicated Server
- Concepts
- Quickstart
- FAQ
- How to
- Additional Content
- Hardware
- Concepts
- How to
- Configure hardware RAID from the console
- Configure a DELL PERC H200 RAID controller
- Configure a DELL PERC H310 RAID controller
- Configre a DELL PERC H700/H710/H730/H730P RAID controller
- Configure a DELL PERC H800 RAID controller
- Configure an HP Smart Array P410 RAID controller
- Configure an HP Smart Array P420 RAID controller
- Configure the DELL PERC H200 RAID controller from the KVM
- Configure the DELL PERC H310 RAID controller from the KVM
- Configure the HP Smart Array P410 RAID controller from the KVM
- Configure the HP Smart Array P420 RAID controller from the KVM
- Troubleshooting
- Additional Content
- KVM-over-IP
- Dedicated Server
- Dedibox Network
- Network
- How to
- Additional Content
- Troubleshooting
- Domains
- Failover IP
- Concepts
- Quickstart
- How to
- Order a failover IP
- Assign a failover IP
- Configure the reverse DNS
- Configure a failover IP on CentOS
- Configure a failover IP on Debian/Ubuntu
- Configure a failover IP on FreeBSD
- Configure a failover IP on Windows Server
- Create a vitual MAC address
- Configure a multi-IP virtual MAC address group
- Configure the network of a virtual machine
- RPN
- Concepts
- Quickstart
- How to
- How to configure jumboframes
- How to configure the RPNv1
- How to configure the RPNv2
- How to use the RPN VPN
- How to configure the RPNv1 gateway
- How to find the RPNv1 gateway
- How to connect to an RPN SAN
- How to mount an RPN SAN on Linux
- How to configure RPN SAN on ESXi 5/6
- How to configure RPN SAN on ESXi 7
- How to configure RPN SAN on Proxmox
- How to connect Windows Server to an RPN SAN
- Additional Content
- IPv6
- DNS
- Network
How to provide your own Certificate Authority
When creating a hub, a Certificate Authority will be automatically created and a certificate will be issued for each device subsequently added. However, you can opt for the hub to use a custom Certificate Authority (CA), to enable more complex scenarios.
Before you start
To complete the actions presented on this page, you must have:
- You have an account and are logged into the Scaleway console
- You have created an IoT Hub
When using a custom Certificate Authority, devices must present the whole certificate chain, including the Certificate Authority. Failing to present the complete chain will result in a disconnection during the TLS
handshake. Devices are identified by the Common Name (CN) taken from the device certificate. If a device with the same name does not exist inside the target hub, it will be disconnected unless device auto-provisioning is configured (see the next section).
Switching to a custom Certificate Authority has several benefits:
- It allows for greater flexibility, by allowing different key sizes & algorithms.
- It enables industrial usage.
As a security measure to protect certificates, Scaleway does not have access to private keys of custom Certificate Authorities. Therefore, the hub will not issue certificates for a custom Certificate Authority.
To change your hub Certificate Authority, you must disable your hub.
-
Click IoT Hub in the Managed Services section of the side menu. The list of your IoT Hubs displays.
-
Click the name of the IoT Hub on which the Certificate Authority should be installed. The hub’s overview page displays.
-
Prepare the CA certificate and a proof of possession certificate.
A proof of possession is needed to prove that you own that Certificate Authority and possess its private key, without sending the private key over the network. This helps to protect the CA certificate from being reused by malicious actors after a hub has been deleted, as certificates alone are public by nature.
To generate a proof of possession, sign a certificate that has the target Hub ID (that looks likexxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
) as Common Name using the CA certificate. -
Scroll to the Add a Certificate Authority section of the page. Then click Replace Certificate Authority.
-
Upload your CA certificate
pem
file and your verification (proof of possession) certificatepem
file. -
Click Replace certificate authority to complete the replacement.
-
Re-enable your hub to activate the replaced Certificate Authority.
ImportantOnce the CA is uploaded, all existing devices will have their Scaleway certificates deleted, as they will not match the newly installed Certificate Authority. You will need to generate new certificates on your side to be able to connect your devices again.