• State Verified Answer
  • Replies 1 reply
  • Subscribers 91 subscribers
  • Views 793 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 264737
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Certificate renewal

Markus Schweitzer

Hi,

I dont know if this is the right forum to ask, but is there any common solution for certificate renewal?

For example If I use azure iot hub, I will provision the digicertroot cert (valid until 2038) and a client certificate (valid until XXX) at the factory where the device is produced.
But what If the devices sits months on a store shelf and the certificate expires? Or if a customer just turns it off for months?

Is there any accepted solution for a PKI with embedded devices?

(Without implementing it all by yourself, since It is never a good idea to implement security by yourself...)

Best regards

  • +1

    In general it is not harmful to provision devices with long-lasting certificates. In general it should be avoided to rotate certificates in production, since this introduces the risk of bricking devices in the field. Especially as long as key pairs are not generated on the device is the private key transmitted over the air, which adds an additional attack scenario.

    There might be another issue, where the endpoint is not guaranteed to exist after years on the shelf. For this scenarios it is advisable to use a bootstrap server (a server that allows factory provisioned devices to connect to and then sends the production keypair and the endpoint to the device). This model is implemented in Azure with the DPS (Device Provisioning Service). AWS does not have a specific solution for this.

    Bootstrapping can also be used for key rotation, but again introduces the possibility of private keys being intercepted.

Related