Certificate Authority update

As a security measure, Scaleway IoT Hub was designed with a mutual Transport Layer Security (TLS) as the default authentication protocol. This means each device needs to verify the authenticity of the IoT Hub certificate.

Using a trusted Certificate Authority (CA) to issue digital certificates is essential to guarantee a secure Transport Layer Security (TLS) connection between a device and the IoT Hub. A digital certificate contains important information about the server’s identity that can help verify its authenticity, then allowing the device to use it to establish a secure connection with the server.

However, the current Certificate Authority of the IoT Hub server endpoint is set to expire in February 2024. We thus issued a new one to be used on your devices.

The information provided on this page explains what the migration entails and how to successfully transition to the new CA.

The CA used in the migration is a .pem bundle that currently contains both the soon-to-be expired and new CA. This allows for a seamless transition.

Planning the migration

The new CA will now be valid for 10 years. This way, your devices will not need to be regularly updated. Additionally, the key used for the current CA has been changed from an RSA4096 to an ECDSA key with a NIST P-384 Curve. The new ECDSA algorithm uses shorter key lengths than RSA while providing stronger security, which is ideal for embedded devices.

To implement these changes, a new IoT Hub endpoint has been made available: migration.iot.fr-par.scw.cloud. It acts exactly like iot.fr-par.scw.cloud, which is the endpoint Scaleway users have habitually been provided with, except it will now identify itself with a “server” certificate signed by the new CA. Starting February 2023, you can connect to this new, transitory endpoint.

On 26 September 2023, the old certificate for the iot.fr-par-scw.cloud endpoint will be changed for one signed by the new CA. Any device using the current CA to verify this new certificate will fail to do so.

On 30 January 2024, the migration endpoint will be deactivated. You will only be able to connect to the main iot.fr-par-scw.cloud endpoint.

Taking this timeline into account and depending on what your device allows, two options are available to you.

Your device can use a CA bundle

The first option is to use a CA bundle. In this case, the transition will be smoother because no further action will be required from you once you are done configuring it.

1. Log into the Scaleway console
2. Click IoT Hub on the side menu. The IoT Hub creation page displays.
3. Click the name of your hub. You are redirected to the Overview section of your hub.
4. Click the Networks tab. Find the network with the iot.fr-par.scw.cloud endpoint.
5. Click «Download Icon» next to the endpoint to download the CA. The downloaded certificate is a bundle signed by both the old and new Certificate Authority.
6. Set up the new CA bundle on your device
7. Issue a test connection to the migration endpoint to ensure you can use the new CA.

You can keep using the main endpoint. When the switch comes into effect, no further action will be required on your end.

Your device can only use a single CA

Most devices support CA bundles, but if this is not the case for your device, you can try this second option.

1. Click here to download the new CA.
2. Set up the CA on your device.
3. Issue a test connection to the migration endpoint. If the test connection is successful, keep using it.
4. Once the main endpoint is updated on 26 September 2023, revert back to it.