Mutual Authentication guidelines

Here you’ll find guidelines on how to set up your IoT configuration and client certificate when authenticating and authorizing clients with mutual authentication.

Serial number as an authorization group

If you want to use a serial number of the certificate that clients present to edge servers as an authorization group, pay attention to the following tips and considerations:
  • Edge servers use hexadecimal notation when performing operations on serial numbers extracted from client certificates.
  • To check the hexadecimal value of a serial number in a client certificate, you can use the following command: openssl x509 -in <cert_file.crt> -noout -text -serial
  • Important: To use a serial number as an authorization group in the access control lists of your namespace configuration:
    • Convert the serial number to lowercase.
    • If present, remove the 0x prefix from the serial number value.
Let's see an example:
Serial number as an authorization group in the Mutual Authentication behavior of the IoT Edge Connect configuration


A piece of a client certificate showing a serial number in hexadecimal notation

     93:e8:35:81:7c:5b:6d:77:6f:ab:e3:3c:b7:f4:41:34:ff:30:
     35:54:71:43:28:40:5f:8f:d2:34:ac:79:a7:1c:a7:9e:77:70:
     46:22:b8:ea:60:31:98:10:e3:b9:ef:a7:72:86:63:f2:10:8d:
     5f:bc:59:7a:4e:9d:be:fd
serial=FAED42417F79A88D
Serial number as an authorization group in the access control lists of the namespace configuration


In this example, this serial number value in a client certificate: FAED42417F79A88D matches this authorization group in the namepsace configuration: faed42417f79a88d.

Fingerprint as a client ID

If you want to use a SHA1 fingerprint of the certificate that clients present to edge servers as a client ID, pay attention to the following tips and considerations:
  • To check the SHA1 value of a fingerprint in a client certificate, you can use the following command: openssl x509 -in <cert_file.crt> -noout -fingerprint
  • When extracting a fingerprint value from a client certificate, edge servers convert the fingerprint value so that it doesn’t include a delimiting colon.
  • Important: To use a SHA1 fingerprint as a client ID:
    • Convert the fingerprint to lowercase.
    • Remove the colons between the digits.
Let's see an example:
SHA1 fingerprint as a client ID in the Mutual Authentication behavior of the IoT Edge Connect configuration


A piece of a client certificate showing a SHA1 fingerprint
SHA1 Fingerprint=2D:F4:80:50:04:83:8A:C5:03:D5:69:89:BC:5F:1C:4A:CA:69:D6:25
Identity topic filter with a SHA1 fingerprint as a client ID


In this example, this SHA1 fingerprint value in a client certificate: 2D:F4:80:50:04:83:8A:C5:03:D5:69:89:BC:5F:1C:4A:CA:69:D6:25 matches this client ID used to access the identity topic: diagnostics/2df4805004838ac503d56989bc5F1c4ACa69d625. See Topic filters.

OCSP stapling in the server certificate configuration

Online certificate status protocol (OCSP) is a common schema that you may want to use to maintain the security of a server and other network resources. It allows clients to validate server certificates when establishing a TLS connection, without transmitting certificate revocation lists from the CA.

By default, server certificate configuration in Certificate Provisioning System (CPS) enables OCSP stapling for client certificates. For mutual authentication to work properly, make sure you either disable this setting so that clients contact the CA directly to validate the server certificate, or complete the OCSP configuration by providing a OCSP responder host. To do either action, edit the deployment settings of your certificate in Certificate Provisioning System. See View and edit your deployment settings.