Mutual Authentication guidelines
Here you’ll find guidelines on how to set up your IoT configuration and client certificate when authenticating and authorizing clients with mutual authentication.
Serial number as an authorization group
- Edge servers use hexadecimal notation when performing operations on serial numbers extracted from client certificates.
- To check the hexadecimal
value of a serial number in a client certificate, you can use the following
openssl x509 -in <cert_file.crt> -noout -text -serial
Important: To use a serial number as an authorization group in the access control lists of your namespace configuration:
- Convert the serial number to lowercase.
- If present, remove the
0xprefix from the serial number value.
matches this authorization group in the namepsace configuration:
Fingerprint as a client ID
- To check the SHA1 value of a
fingerprint in a client certificate, you can use the following command:
openssl x509 -in <cert_file.crt> -noout -fingerprint
- When extracting a fingerprint value from a client certificate, edge servers convert the fingerprint value so that it doesn’t include a delimiting colon.
Important: To use a SHA1 fingerprint as a client ID:
- Convert the fingerprint to lowercase.
- Remove the colons between the digits.
2D:F4:80:50:04:83:8A:C5:03:D5:69:89:BC:5F:1C:4A:CA:69:D6:25matches this client ID used to access the identity topic:
diagnostics/2df4805004838ac503d56989bc5F1c4ACa69d625. See Topic filters.
OCSP stapling in the server certificate configuration
Online certificate status protocol (OCSP) is a common schema that you may want to use to maintain the security of a server and other network resources. It allows clients to validate server certificates when establishing a TLS connection, without transmitting certificate revocation lists from the CA.
By default, server certificate configuration in Certificate Provisioning System (CPS) enables OCSP stapling for client certificates. For mutual authentication to work properly, make sure you either disable this setting so that clients contact the CA directly to validate the server certificate, or complete the OCSP configuration by providing a OCSP responder host. To do either action, edit the deployment settings of your certificate in Certificate Provisioning System. See View and edit your deployment settings.