Originally published at: Introducing Golioth Certificate-Based Authentication
Golioth is secure by default, offering a couple of different ways for your devices to establish a secure connection to the Golioth Servers. When trying out features in the lab, pre-shared keys (PSK) are fine. But when moving devices into production, there is no substitute for certificate-based authentication. Today we are announcing the ability to use Certificates with the Golioth platform. Certificates deliver numerous security benefits when compared to pre-shared keys. This is especially true when it comes to provisioning your IoT fleet. As devices roll off the assembly line, they can be granted individual device certificates signed using a trusted chain of root certificates and intermediate certificates. At that point, the devices are not yet registered on the Golioth server. When they first connect, the certificates are verified against the chain of trust and a record of the trust-verified device is created. This simplifies the registration of a large influx of new devices, as happens in a production environment. Let’s walk through the process used to get to that point. How to generate and use certificates with Golioth Generating a self-signed root certificate A root certificate is a cryptographic public/private key pair. The private key is used to sign all device certificates. The public key is uploaded to the Golioth server and used at the project level to verify each device certificate when establishing a secure connection. SERVER_NAME=‘golioth’ # Generate an elliptic curve private key # Run openssl ecparam -list_curves to list all available algorithms # Keep this key safe! Anyone who has it can sign authentic-looking device certificates openssl ecparam -name prime256v1 -genkey -noout -out “${SERVER_NAME}.key.pem” # Create and self-sign a corresponding public key / certificate openssl req…