Cloud server TLS

The CANedge1 lets you upload data via HTTP or HTTPS. HTTP is simpler to setup/maintain, but if security is a priority you can use HTTPS data transfer.

Note

HTTPS is an advanced topic. Ensure that your HTTP upload works first and read the S3 security section in the CANedge1 Docs before proceeding. The CANedge1 Docs also describe bundled certificates and over-the-air certificate updates

Warning

Make sure to have physical access to your CANedge1 when testing HTTPS. Note also that enabling TLS may reduce your upload speed

Warning

Note that the default root CA may change for a cloud endpoint. For production setups we strongly recommend using a custom endpoint & certificate to ensure full control

Ready-to-use TLS certificates (AWS, Google, Azure)

Here we describe how to quickly enable TLS for AWS, Google Cloud and Azure-Flexify[3]:

  1. Download the relevant pre-built from below to your device SD card root
  2. Update your Configuration File endpoint with https:// and port 443[1]
  3. Test your connectivity before final deployment[2]

AWS | Google Cloud | Azure-Flexify


Manually download TLS certificate (other clouds)

  1. Copy your S3 server [endpoint]/[bucket] into your browser. For AWS, this could e.g. be: https://s3.us-east-1.amazonaws.com/canedge-test-bucket
  2. In Chrome, click the lock-icon next to the URL
  3. Go to the certificate details page and select the top root certificate
  4. Export the single certificate as .crt and open the file
  5. Go to the Details tab and verify that it is an RSA type (not e.g. ECC)
  6. Rename it to certs_server.p7b[1] and save the file to the root of your device SD
  7. Update the Configuration File to use https:// and port 443 in your server details

Custom domain & certificate

As outlined above, if you wish to use a cloud server endpoint like e.g. AWS S3, you can use the default certificate to enable TLS. This can be OK for small scale, local setups and tests.

For production setups and large scale applications, it is recommended that you ensure full control over the certificate chain as the cloud server provider may decide to change the root CA without notice. While rare, it is a risk. To avoid this, you can use a custom domain as your end point and enable TLS by importing your preferred certificate. This is an advanced topic and we recommend involving technical staff from your cloud server provider and/or your company.


[1](1, 2) When updating the Configuration File of an already-connected CANedge, ensure that you’re updating the S3 Configuration File rather than the SD. Otherwise the SD changes will be over-written by an OTA update when the device connects to S3. Alternatively, delete the S3 Configuration File before making changes to the SD Configuration File
[2]Note that deployment with our TLS bundle is still subject to the risk of a change in the default root CA - so make sure to check if any CA changes are scheduled and deploy at your own risk.
[3]The Azure-Flexify certificate assumes that you are running the integration as per our guide (not via a self-hosted VM in Azure)