Cloud server TLS

For clouds (AWS, Google Cloud, …) you can use below method to enable HTTPS for initial tests.


Note that the default root CA may change for a cloud endpoint. For production setups we strongly recommend using a custom endpoint & certificate to ensure full control

Ready-to-use TLS certificates (AWS, Google, Azure)

Here we describe how to quickly enable TLS for AWS, Google Cloud and Azure-Flexify[3]:

  1. Download the relevant pre-built from below to your device SD card root
  2. Update your Configuration File endpoint with https:// and port 443[1]
  3. Test your connectivity before final deployment[2]

AWS | Google Cloud | Azure-Flexify

Manually download TLS certificate (other clouds)

  1. Copy your S3 server [endpoint]/[bucket] into your browser. For AWS, this could e.g. be:
  2. In Chrome, click the lock-icon next to the URL
  3. Go to the certificate details page and select the top root certificate
  4. Export the single certificate as .crt and open the file
  5. Go to the Details tab and verify that it is an RSA type (not e.g. ECC)
  6. Rename it to certs_server.p7b[1] and save the file to the root of your device SD
  7. Update the Configuration File to use https:// and port 443 in your server details

Custom domain & certificate

As outlined above, if you wish to use a cloud server endpoint like e.g. AWS S3, you can use the default certificate to enable TLS. This can be OK for small scale, local setups and tests.

For production setups and large scale applications, it is recommended that you ensure full control over the certificate chain as the cloud server provider may decide to change the root CA without notice. While rare, it is a risk. To avoid this, you can use a custom domain as your end point and enable TLS by importing your preferred certificate. This is an advanced topic and we recommend involving technical staff from your cloud server provider and/or your company.

[1](1, 2) When updating the Configuration File of an already-connected CANedge, ensure that you’re updating the S3 Configuration File rather than the SD. Otherwise the SD changes will be over-written by an OTA update when the device connects to S3. Alternatively, delete the S3 Configuration File before making changes to the SD Configuration File
[2]Note that deployment with our TLS bundle is still subject to the risk of a change in the default root CA - so make sure to check if any CA changes are scheduled and deploy at your own risk.
[3]The Azure-Flexify certificate assumes that you are running the integration as per our guide (not via a self-hosted VM in Azure)