Below you will find information about how to connect to the Tartabit IoT Bridge using a LWM2M client with certificate based authentication.
When using thumbprints, each
Endpoint in the IoT Bridge is configured with the thumbprint of the certificate associated with the device. This enables fine control over which devices can connect, but it also requires provisioning the security information for every device that attempts to connect.
# generate the private key openssl ecparam -out client.key.pem -name prime256v1 -genkey -noout # convert the private key from pem to der format (needed by some clients) openssl ec -in client.key.pem -outform DER -out client.key.der # generate the certificate openssl req -new -key client.key.pem -x509 -nodes -days 2650 -out client.cert.pem # convert the certificate from pem to der format (needed by some clients) openssl x509 -in client.cert.pem -outform DER -out client.cert.der
The thumbprint can be added manually, or by clicking the certificate icon and selecting the PEM encoded certificate from your filesystem.
Use a CA to authenticate all certificates that have been signed by the same CA. Currently the CA method requires a single CA certificate that directly signs the client certificates, use of intermediate CAs is not supported. Additionally, each CA certificate is identified uniquely by its Distinguished Name (DN) must have a globally unique DN or else an error will be reported. As such, the same CA certificate, or a CA certificate with the same DN as an existing certificate cannot be used in multiple accounts.
If you see an error in the logs "Certificate is already in-use", that means that the DN for the certificate you are trying to use has already been registered into another account.
# generate the root private key openssl ecparam -out root.key.pem -name prime256v1 -genkey -noout # generate the root cert openssl req -new -key root.key.pem -x509 -nodes -days 3650 -out root.cert.pem
# generate the leaf key openssl ecparam -out leaf.key.pem -name prime256v1 -genkey -noout # convert the leaf private key from pem to der format (needed by some clients) openssl ec -in leaf.key.pem -outform DER -out leaf.key.der # generate the leaf csr openssl req -new -key leaf.key.pem -out leaf.cert.csr # generate leaf cert openssl x509 -req -in leaf.cert.csr -CA root.cert.pem -CAkey root.key.pem -CAcreateserial -days 3650 -sha256 -out leaf.cert.pem # convert the leaf certificate from pem to der format (needed by some clients) openssl x509 -in leaf.cert.pem -outform DER -out leaf.cert.der
openssl verify -verbose -CAfile root.cert.pem leaf.cert.pem
The CA certificate should be pasted into the service definition, make sure to include the
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE----- blocks.