TLS client certficate (non-self-signed)


#1

Hi,

I’m trying to use TLS client certificate.
In Device Provisioning Tutorial (http://docs.exosite.com/tutorials/provisioning/), a self signed certificate is used for provisioning. But I want to use certificates signed by proper CA.
Can Murano refuse to use self-signed certificate for provision?
If possible, could you let me know how to that?

regards,


#2

Hi @rune,

Thanks for posting! I am not sure whether or not Murano accepts certs singed by a CA, so I will find out.

This strikes me as a strange use case. Since Identities can be trusted and managed by the owner, or an administrator, of the Product, there typically isn’t a need to use Certificate authorities.

What problem are you looking to solve?

-Martin


#3

Hi,

From what I heard last, Murano can accept certificates from either a self-signed source or from a CA. The first time a whitelisted device talks to Murano, a copy of the certificate (or is it signature?) is stored in the cloud and all subsequent connections are allowed only through that certificate.

I think in the near future, Murano will have capabilities to include root CA and verify if the device’s certificate was signed by the root (or any intermediary CA signed by the root).

Kind regards,
Vijay.


#4

@Martin
Thank you for your reply!

I think TLS client certificate mechanism make security stronger. But if accept self-signend certificate, it is make no sense. It just like as a con artist says “This person is (I am) right and you can trust him (me), I will guarantee”. If anyone could get to know the device IDs, he can create fraud self signed certificate and can communicate with Murano.

So I think Murano is better to have function to check if the certificate is signed by proper CA, and to have option to kick unsecure certificate.

regards,


#5

@Vijay
Thank you for your reply!
It is enough for me with your answer!

I understood that currently Murano accept any certificate even if it is self-signed, but that the function to verify certificate will be implemented in near future.

regards,