Issue with Primary Hardware ID During Certificate-Based Device Registration

rubenl97m · September 19, 2023, 6:54pm

Hello everyone,

I am facing an issue with the primary hardware ID when registering a device using certificate-based authentication. I am using OpenSSL to generate device certificates and have specified the primary hardware ID in the certificate. However, when the device connects to the Golioth cloud, the primary hardware ID is not what I specified. Instead, it seems to be appended with a timestamp.

Steps to Generate the Certificate:

I am using the following OpenSSL commands to generate the device certificate:

Generate an elliptic curve private key

openssl ecparam -name prime256v1 -genkey -noout -out “erad003.key.pem”

Create a certificate signing request (CSR)

openssl req -new -key “erad003.key.pem” -subj “/C=BR/O=ethermostat/CN=rad003” -out “erad003.csr.pem”

Sign the certificate (CSR) using a self-signed root certificate

openssl x509 -req -in “erad003.csr.pem” -CA “golioth.crt.pem” -CAkey “golioth.key.pem” -CAcreateserial -out “erad003.crt.pem” -days 500 -sha256


Expected Behavior:

I expect the primary hardware ID to be `erad003` as specified in the certificate.

Actual Behavior:

The primary hardware ID that gets registered in the Golioth cloud is in the format `20230917171529-rad003`.

![Captura de pantalla 2023-09-17 125843|623x466](upload://liOrFA2EaeFMig6KTJ313kISN04.png)


Questions:

1. Is there a way to control the primary hardware ID during automatic registration?
2. Can I read this generated ID back into my device code?
3. Is this behavior documented, and if so, where can I find more information?

I would appreciate any help or guidance on this issue. Thank you!

mike · September 19, 2023, 8:10pm

Hi Ruben,

I’m sorry for the confusion on this topic. Our current documentation incorrectly uses the term PRIMARY_HARDWARE_ID in the example certificate generation script. The correct term should be DEVICE_NAME .

You should see erad003 from the example above appear as the device name for the newly authenticated device. The hardware id for that device is a unique identifier generated by the Golioth servers and cannot be defined by the device certificate.

I have opened a pull request to update this section of our docs.

rubenl97m · September 19, 2023, 10:24pm

yes! i’ve got in the golioth cloud the DEVICE_NAME registered as erad003. but is there a way to control or get from the device the device ID creation?
i want to save the DeviceId into a database for filtering access when querying at REST API ex;
/v1/projects/{projectId}/devices/{deviceId}

mike · September 26, 2023, 7:23pm

You will still have access to the primary hardware ID by using the REST API. Use a GET /v1/projects/{projectID}/devices with the name filter