S3 security

The CANedge supports TLS v1.2 for securing communication between the CANedge and the S3 server. TLS provides the following security mechanisms:

  • Encryption of data transmissions

  • Server identity authentication (using certificates)

Warning

To enable TLS, the S3 endpoint must start with https://

Note

The CANedge2 is tested using RSA based certificates with 2048 bit keys


TLS certificates

TLS typically uses a chain of certificates to establish trust. At the top of the chain is the root certificate authority (CA). In below example, the root certificate is used to sign (approve) a server certificate.

Certificate chain

When the CANedge connects to the server using TLS, the server returns the server public certificate. It is now up to the CANedge to decide if it trusts the server or not.

By installing the root (public) certificate on the CANedge, it is instructed to trust any certificate signed by the root.

Note

When using a hostname as endpoint (e.g. s3.eu-north-1.amazonaws.com) the CANedge verifies that the hostname matches the certificate common-name or is included in the list of SANs (Subject Alternative Names). If no match is found, the connection is refused.

Note

The CANedge adds the endpoint hostname to the TLS SNI (Server Name Indication) extension field.


Installing certificates

The CANedge supports up to 10 trusted certificates as a bundled PKCS#7 (.p7b) file.

Warning

The installed certificates shall all have distinguishable Subjects (the certificate Subject field).

Below describes how to prepare and install trusted certificates on the CANedge.


Prepare certificate(s)

Trusted certificates are stored in a single file (/certs_server.p7b). The flow chart below shows how to prepare the certificate bundle depending on the number of certificates to install:

graph TD
  A(Acquire certificates) --> B[Number of certificates]
  B -->|Zero| D[Clear]
  B -->|One| E[Rename]
  B -->|Multiple| F[Bundle]
  G(Configure device)
  D --> G
  E --> G
  F --> G

Zero certificates (Clear)

Clear all loaded certificates by creating an empty/blank file called certs_server.p7b

One certificate (Rename)

Prepare a single certificate by renaming:

  1. Acquire the trusted certificate (e.g. the root certificate) in a supported format (.pem, .cer, .crt, .der)

  2. Rename the certificate to certs_server.p7b

Multiple certificates (Bundle)

Prepare multiple certificates by creating a PKCS#7 bundle containing all the certificates.

Generation of certificate bundles requires a tool, such as the free OpenSSL library 1. Using OpenSSL, multiple certificates can be included in a bundle following below steps:

  1. Acquire the trusted certificates (e.g. root certificates) in a supported format2

  2. Copy all the certificates into a single directory (e.g. cert1.pem, cert2.pem, … cert9.pem)

  3. Open a console/command prompt in the directory storing the certificates, and run the following OpenSSL command (example with two certificates):

$ openssl crl2pkcs7 -nocrl -certfile cert1.pem -certfile cert2.pem -out certs_server.p7b

Local installation of certificate(s)

The certificate bundle (certs_server.p7b) is installed by placing it in the root of the SD-card (with name ).


Remote installation of certificate(s)

The certificate bundle (certs_server.p7b) is installed by placing it on the S3 server. For more information refer to Server certificates over-the-air.


List of installed certificates

Installed certificates can be verified by inspecting the device.json file (written to the SD-card and uploaded to S3). The certs_server_* field contains a list of hashes of successfully loaded certificates.

A certificate hash is computed by running the SHA1 algorithm over the values of the certificate subject field (ordered as in the certificate binary).

Example: Compute certificate hash of certificate DigiCertGlobalRootCA.crt.

  1. List certificate subject value fields using openssl:

$ openssl x509 -noout -subject -in DigiCertGlobalRootCA.crt
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
  1. Compute SHA1 over concatenated subject values:

\[\begin{split}\texttt{SHA1}(\texttt{"USDigiCert Incwww.digicert.comDigiCert Global Root CA"}) = \\ \texttt{"0A0DEFC689D4ECD558C0A95C524E1146F5C3D789"}\end{split}\]

1

Linux: Check the package manager for the distribution, Mac OS: Homebrew, Windows: Available as a part of pre-packaged git

2

The input certificate format must be PEM/base64 encoded DER