S3 security
The CANedge supports TLS v1.2 for securing communication between the CANedge and the S3 server. TLS provides the following security mechanisms:
Encryption of data transmissions
Server identity authentication (using certificates)
Warning
To enable TLS, the S3 endpoint must start with https://
Note
The CANedge2 is tested using RSA based certificates with 2048 bit keys
Note
TLS certificates
TLS typically uses a chain of certificates to establish trust. At the top of the chain is the root certificate authority (CA). In below example, the root certificate is used to sign (approve) a server certificate.
When the CANedge connects to the server using TLS, the server returns the server public certificate. It is now up to the CANedge to decide if it trusts the server or not.
By installing the root (public) certificate on the CANedge, it is instructed to trust any certificate signed by the root.
Note
When using a hostname as endpoint (e.g. s3.eu-north-1.amazonaws.com
) the CANedge verifies that the hostname matches the certificate common-name
or is included in the list of SANs (Subject Alternative Names). If no match is found, the connection is refused.
Note
The CANedge adds the endpoint hostname to the TLS SNI
(Server Name Indication) extension field.
Installing certificates
The CANedge supports up to 10 trusted certificates as a bundled PKCS#7 (.p7b
) file.
Warning
The installed certificates shall all have distinguishable Subjects (the certificate Subject
field).
Below describes how to prepare and install trusted certificates on the CANedge.
Prepare certificate(s)
Trusted certificates are stored in a single file (/certs_server.p7b
). The flow chart below shows how to prepare the certificate bundle depending on the number of certificates to install:
Zero certificates (Clear)
Clear all loaded certificates by creating an empty/blank file called certs_server.p7b
One certificate (Rename)
Prepare a single certificate by renaming:
Acquire the trusted certificate (e.g. the root certificate) in a supported format (
.pem
,.cer
,.crt
,.der
)Rename the certificate to
certs_server.p7b
Multiple certificates (Bundle)
Prepare multiple certificates by creating a PKCS#7 bundle containing all the certificates.
Generation of certificate bundles requires a tool, such as the free OpenSSL library 1. Using OpenSSL, multiple certificates can be included in a bundle following below steps:
Acquire the trusted certificates (e.g. root certificates) in a supported format2
Copy all the certificates into a single directory (e.g.
cert1.pem
,cert2.pem
, …cert9.pem
)Open a console/command prompt in the directory storing the certificates, and run the following OpenSSL command (example with two certificates):
$ openssl crl2pkcs7 -nocrl -certfile cert1.pem -certfile cert2.pem -out certs_server.p7b
Local installation of certificate(s)
The certificate bundle (certs_server.p7b
) is installed by placing it in the root of the SD-card (with name ).
Remote installation of certificate(s)
The certificate bundle (certs_server.p7b
) is installed by placing it on the S3 server. For more information refer to Server certificates over-the-air.
List of installed certificates
Installed certificates can be verified by inspecting the device.json
file (written to the SD-card and uploaded to S3). The certs_server_*
field contains a list of hashes of successfully loaded certificates.
A certificate hash is computed by running the SHA1 algorithm over the values of the certificate subject field (ordered as in the certificate binary).
Example: Compute certificate hash of certificate DigiCertGlobalRootCA.crt
.
List certificate subject value fields using
openssl
:
$ openssl x509 -noout -subject -in DigiCertGlobalRootCA.crt
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Compute SHA1 over concatenated subject values: