Cloud server TLS
The CANedge2 lets you upload data via HTTP or HTTPS. HTTP is simpler to setup/maintain, but if security is a priority you can use HTTPS data transfer.
Note
HTTPS is an advanced topic. Ensure that your HTTP upload works first and read the S3 security section in the CANedge2 Docs before proceeding. The CANedge2 Docs also describe bundled certificates and over-the-air certificate updates
Warning
Make sure to have physical access to your CANedge2 when testing HTTPS. Note also that enabling TLS may reduce your upload speed
Warning
Note that the default root CA may change for a cloud endpoint. For production setups we strongly recommend using a custom endpoint & certificate to ensure full control
Table of Contents
Ready-to-use TLS certificates (AWS, Google, Azure)
Here we describe how to quickly enable TLS for AWS, Google Cloud and Azure-Flexify[3]:
Manually download TLS certificate (other clouds)
- Copy your S3 server
[endpoint]/[bucket]
into your browser. For AWS, this could e.g. be:https://s3.us-east-1.amazonaws.com/canedge-test-bucket
- In Chrome, click the lock-icon next to the URL
- Go to the certificate details page and select the top root certificate
- Export the single certificate as
.crt
and open the file - Go to the Details tab and verify that it is an
RSA
type (not e.g.ECC
) - Rename it to
certs_server.p7b
[1] and save the file to the root of your device SD - Update the Configuration File to use
https://
and port443
in your server details
Custom domain & certificate
As outlined above, if you wish to use a cloud server endpoint like e.g. AWS S3, you can use the default certificate to enable TLS. This can be OK for small scale, local setups and tests.
For production setups and large scale applications, it is recommended that you ensure full control over the certificate chain as the cloud server provider may decide to change the root CA without notice. While rare, it is a risk. To avoid this, you can use a custom domain as your end point and enable TLS by importing your preferred certificate. This is an advanced topic and we recommend involving technical staff from your cloud server provider and/or your company.
[1] | (1, 2) When updating the Configuration File of an already-connected CANedge, ensure that you’re updating the S3 Configuration File rather than the SD. Otherwise the SD changes will be over-written by an OTA update when the device connects to S3. Alternatively, delete the S3 Configuration File before making changes to the SD Configuration File |
[2] | Note that deployment with our TLS bundle is still subject to the risk of a change in the default root CA - so make sure to check if any CA changes are scheduled and deploy at your own risk. |
[3] | The Azure-Flexify certificate assumes that you are running the integration as per our guide (not via a self-hosted VM in Azure) |