How to provide your own Certificate Authority
When creating a Hub, a Certificate Authority will be automatically created and a certificate will be issued for each device subsequently added. However, you can opt for the Hub to use a custom Certificate Authority (CA), to enable more complex scenarios.
You may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
- If the Hub’s Certificate Authority is changed to a custom one, this action is definitive. It is not possible to reinstate the original Scaleway-managed PKI at a later point.
- If a Hub has devices, their certificates will be deleted. This means that to connect again using mTLS, new certificates must be generated for each device, and signed by the provided Certificate Authority.
- You have an account and are logged into the Scaleway console
- You have created an IoT Hub
When using a custom Certificate Authority, devices must present the whole certificate chain, including the Certificate Authority. Failing to present the complete chain will result in a disconnection during the
TLS handshake. Devices are identified by the Common Name (CN) taken from the device certificate. If a device with the same name does not exist inside the target Hub, it will be disconnected unless device auto-provisioning is configured (see the next section).
Switching to a custom Certificate Authority has several benefits:
- It allows for greater flexibility, by allowing different key sizes & algorithms.
- It enables industrial usage.
As a security measure to protect certificates, Scaleway does not have access to private keys of custom certificate authorities. Therefore the Hub will not issue certificates for a custom Certificate Authority.
To change your Hub Certificate Authority, you must disable your Hub.
Click IoT Hub in the Managed Services section of the side menu. The list of your IoT Hubs displays.
Click the name of the IoT Hub on which the Certificate Authority should be installed. The Hub’s overview page displays.
Prepare the CA certificate and a proof of possession certificate.
A proof of possession is needed to prove that you own that Certificate Authority and possess its private key, without sending the private key over the network. This helps to protect the CA certificate from being reused by malicious actors after a hub has been deleted, as certificates alone are public by nature.
To generate a proof of possession, sign a certificate that has the target Hub ID (that looks like
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) as Common Name using the CA certificate.
Scroll to the Add a Certificate Authority section of the page. Then click Replace Certificate Authority.
Upload your CA certificate
pemfile and your verification (proof of possession) certificate
Click Save to complete the replacement.
Re-enable your Hub to activate the replaced Certificate Authority.Important:
Once the CA is uploaded, all existing devices will have their Scaleway certificates deleted, as they will not match the newly installed Certificate Authority. You will need to generate new certificates on your side to be able to connect your devices again.