Device Certificate Management
Certificates are a strong way of securing device networks and communications. Certificates can either be self-signed (intrinsically less secure) or signed by a Certificate Authority (CA) (independent verification to provide greater trust). Certificates issued by a CA have an expiration date to force reauthorization on a periodic basis. While making your IoT devices and networks more secure, certificate management for this infrastructure requires a scalable mechanism to issue, install and manage certificates.
When integrated with your chosen CA, Viakoo’s Device Certificate Management (DCM) gives you a scalable way of issuing and managing certificates to support IEEE 802.1x and TLS protocols for IoT devices in your infrastructure. DCM interacts with your CA to Request, Issue, Install and Revoke certificates for devices under management. Moreover, DCM provides an easy way to see the status of your current certificate portfolio.
Talk to your Viakoo representative about support for your CA of choice.
The Viakoo system automates the process to create or reissue certificates for a device. This process involves the following steps:
- Initiate a certificate update job that includes one or more device certificates to be updated as specified by certificate profiles associated with each device.
- Request a CSR from each device in the job using the associated certificate profile.
- Request a certificate for the device using the generated CSR.
- Fetch the certificate from the CA when the certificate is issued by the CA.
- Download and install the certificate in the device.
- Revoke the prior certificate if supported by your CA.
To achieve this at scale, Device Certificate Management interface provides tools for the following steps:
- Defining and Managing Certificate Profiles (i.e., templates)
- Associating Certificate Profiles with Devices
- Reviewing Certificate Status
- Initiating Certificate Jobs
- Reviewing Job Status
Defining and Managing Certificate Profiles
To provide a scalable mechanism to create certificates for hundreds, thousands or tens of thousands of devices, we need a way of defining templates where common attributes, type of certificates and durations that can be used to create certificates on a large collection of devices. The mechanism in Viakoo’s DCM is Certificate Profiles.
To create a Certificate Profile, navigate to Certificates “Profile” subtab and click the icon (“Add Profile”):
The configurable attributes of a certificate profile are as follows:
- Name of the Certificate Profile to be used in properly selecting it later
- Type of certificate (IEEE 802.1x or TLS)
- Type of device (Access Controller, Viakoo Agents, Cameras, or IoT Devices)
- Subject Name attributes (e.g., “C” for your company name, et cetera)
- Additional attributes as required for your infrastructure (OID : value pairs)
- Duration of the issued certificates
Fill out the form with desired attributes:
Click “Submit” and your new profile will show up in your certificate profiles list for the associated device type.
In this view, you will see the new profile as selected and its details are shown in the panel on the left. This panel also gives you the following options to help you manage your certificate profiles:
- You can modify a selected profile using the “Edit” button.
- You can “Archive” a selected profile, which means to hide it from use.
- You can toggle the “Active” / “Archive” switch in the upper right corner to see your “Archived” profiles.
Navigate up by clicking on the “Device Type” link to get a view of profiles for other device types.
Associating Certificate Profiles with Devices
For Viakoo to manage device certificates, those devices need to be associated with certificate profiles. Now that you have defined certificate profiles, we need to associate a certificate profile. To do this, navigate to the Certificates “Inventory” subtab.
From here, select the device type you want to associate with a certificate profile. For example, if you create a Camera certificate profile that you would like to associate with camera devices, select the “Camera” button at this step.
This displays all your devices of the chosen type (e.g., Cameras) in your infrastructure, as well as, controls to filter and export this information, controls to toggle between certificate types, and controls to associate available profiles to those devices.
To assign a certificate profile to a collection of devices of a particular type, do the following:
- Select the certificate type (either “IEEE802.1x” or “SSL_TLS”) for the category of profile you wish to associate.
- Filter the list as desired to reduce the list to just those devices using the filter icon ()
- Check the checkboxes on the left side of the list to select all or individual devices.
- Select the profile to assign
- Finally, click “Associate Profile”.
Then, approve the changes:
You should then see the new profile associated with each of the intended devices in your selection. From this point on, this new profile will be used when generating new certificates of this type.
NOTE: if a device is already in an active job to generate the type of certificate in question, it will NOT allow you to reassign its certificate profile until that job completes or is cancelled.
Review Certificate Status from Timeline Subtab
Issuing certificates is most often done for the following:
- Devices without certificates
- Devices with expired certificates (note: these devices may now require manual intervention to install new certificates)
- Devices with certificates that are approaching expiration.
The Certificate Timeline subtab gives you a view of these three different categories so you can initiate a certificate job to issue or renew a certificate.
Navigate to the Timeline subtab and then click on the graph. You can shrink or expand the view by selecting the time range in the control to the upper right.
This shows the device certificates that are represented by the column and enables you to select them for a certificate job.
Initiate Certificate Jobs from the Timeline Subtab
Selecting a column in the Timeline view, you can display the specific certificates associated with that expiration date. Click again to hide the associated certificates. Click additional columns to add those certificates to the display.
Controls available in the upper right of the list view do the following:
- Filter using any text string using the filter control ().
- Export the displayed certificates to a CSV file ().
- Adjust pagination ().
Use these controls to locate certificates you would like to include in an upgrade job. Select “All” or specific collections of devices by using the checkboxes along the left side of the list.
Then click “Initiate Job” to bring up the job submission pop-up.
In the Submit Job Popup, do the following steps to submit a job:
- Give the job a name
- [optional] If desired, filter the visible list using the filter option in the upper right corner.
- Select 1 or more certificates to create in the job.
- Pick a start time to begin the job. The default start time is “now”.
- Review your selections and click “Submit” to activate the job.
After submitting the job, the UI will change to the “Certificates Job” subtab.
Reviewing Job Status from Certificate Jobs Subtab
The “Certificate Jobs” subtab gives you a view of pending, active (i.e., currently running or scheduled to be run) and completed certificate jobs. The view provides a summary of the status or results for each job with colors indicating how many devices succeeded or failed in each of the four steps for a certificate job.
The colors represent the status of certificate job items as they progress through the four key steps. Status indicators are as follows:
- Light Gray indicates the percentage of job items that have yet to begin this step.
- Darker Gray indicates the percentage of job items that are in-progress on this step.
- Green indicates the percentage of job items that have successfully completed this step.
- Yellow indicates the percentage of job items that could not REVOKE the old certificate. This is only considered a “Warning” as the device associated has successfully installed the new certificate.
- /Striped Gray/ indicates the percentage of devices where, after successfully installing the new certificate, the REVOKE step was unnecessary either because REVOKE was not supported for the old certificate or there was not a previous certificate to revoke.
- Orange indicates the percentage of job items that failed to complete either generating a CSR from the device or installing the certificate. This could be due to device credentials or other issues associated with the device.
- Red indicates the percentage of devices that failed to generate a certificate. This is most often due to the CA rejecting the request.
Actions that are possible on the jobs list:
- sorting - The jobs list can be sorted by scheduled date, completion date, job name or user who created the job. The order of the sort can be toggled from ascending to descending and back using the control to the right of the selector.
- filtering - The displayed list can be limited to just “active” jobs, “closed” jobs, or “all” jobs.
- exporting - The list of certificate jobs can be exported to a CSV file.
- paginating - For efficiency reasons, the system shows a limited number of jobs at one time. Controls will appear if the list of jobs exceeds the number in the pagination control. The number of jobs listed in the display can be expanded to up to 100 jobs in the view.
- halting - any active job can be halted by an administrator from this summary list by clicking on the “Stop” icon.
To see the detailed list of job items associated with a job, simply click anywhere on the row for that job in the Certificate Jobs list view.
Detailed Jobs View
In the Certificate Job detailed view, each job item is listed along with the status of the individual item, device and the associated certificate profile being used. Status for the job item is indicated as a progress bar through each phase of the process as well as a color & icon to indicate status.