Understanding Certificates
In any network where data communication occurs, authentication is crucial for establishing a secure and trustworthy communication channel. In Zoho IoT, Transport Layer Security (TLS) ensures that the data transmitted between the device and the server originates from a trusted source, thereby maintaining the integrity of the data.
When using MQTT gateway devices in the IoT setup, it is recommended to use Client Certificates with TLS as the authentication type. In this case, the application employs TLS to authenticate self-signed X509 client certificates. Associating a certificate with an MQTT device enables the device to verify its identity to the server and securely communicate with it.
Certificate Creation
Zoho IoT Application provides the following two ways in which you can create a certificate:
- Using the Create Certificate option
- When associating a certificate with an MQTT device
Using the Create Certificate option
Certificates can be created using the Add Certificate option in the application. Certificates created using this method, can be associated to any existing MQTT device which is registered with the Client Certificate with TLS authentication type.
Note: During gateway creation, the MQTT device must be created with the Client Certificate option to allow mapping the certificate to the gateway.
Refer to the Working with Certificates document for step-by-step procedure.
2. When Associating Certificate with MQTT device
Certificates can be created and associated while adding MQTT Devices. During device creation, the authentication type must be selected as Client Certificate with TLS. Upon registration of this MQTT Device, the Associate Certificate option is displayed to associate any certificate to the device. Here, you can also create a new certificate if required and associate.
Contents of the Certificate Zip File
Upon creating a certificate, a zip file is created containing the following files. The file must be downloaded and saved for later use after creation.
File | Description |
<cert_name>.cert.pem | Contains a digital certificate in the PEM (Privacy Enhanced Mail) format. PEM is a commonly used format for encoding and exchanging digital certificates, private keys, and other secure information. |
<cert_name>.public.key | Contains the public key that corresponds to the private key contained in the private.key file. The public key is used to encrypt data that can only be decrypted with the corresponding private key. |
<cert_name>.private.key | Contains the private key that corresponds to the public key contained in the public.key file. |
ZohoIoTServerRootCA.pem | Contains the public key and other identifying information of the root CA. It is used to establish trust between different entities by allowing them to verify the digital signature on the certificates that are issued by the root CA. |
Note: Client Certificates in the IoT Application are created with 10 years of validity.
Downloading the Certificate
The generated certificate, along with private and public keys, can be downloaded from this popup window as a compressed zip file or as individual files.
Warning: The certificates zip file contains the certificate, private, and public keys. Once the Certificate Details popup is closed, only the certificate key will be available for download. You may need to generate the new certificate if a zip file fails to download or is misplaced.
The private key is not available in the database and therefore not available for download later.
Downloading the Root CA Certificate
The ZohoIoTServerRootCA.pem file is a Root Certificate Authority (CA) certificate that must be downloaded and installed when a system does not have a trusted root certificate store available. It contains the public key and other information to establish trust between different entities by allowing them to verify the digital signature on the certificates that are issued by the root CA. In other words, this file acts as a trusted entity to authenticate the identity of the Zoho IOT server during secure communications.
Note: Multiple devices can use the same set of certificate files. Multiple certificates can be associated to a single device using the Associate Certificate option. However only one certificate can be used at a time for connectivity.
Refer to the Certificate Usage document for more details.
Associating Certificate to Policy
Every certificate must be mapped to a policy. In general, a policy helps to define various rules and operations. These rules come under two broad categories: "Device communication with the application" and "Application communication with the device". The tasks such as "Telemetry Data", "Device Notification/Event Data", "Subscribe to Command", and "Edge Agent Configuration", are divided under these categories. You can activate one or more actions to define a policy and assign it to a certificate. The certificate, when associated to a device, ensures the device performs only the actions configured in the policy.
Refer to the Understanding Policies document for more details.
Example: Consider a gateway device that has one or more certificates. This device can use any of the certificates to connect to the application. However, the action which can be performed by the device depends on the policy which is assigned to the certificate used by the device.
Certificate Views
List View
The list view of the certificate can be accessed from the End Application by clicking Devices > Certificates in the left pane.
Certificate Details View
The details view contains the details of the certificate along with the associated policy. This view can be accessed by clicking on the certificate name in the list view.
Devices View
The device view contains the references to the associated devices. This view can be accessed by clicking on the certificate name in the list view displayed above. And clicking on the Attached Gateways tab.
Timeline View
The activities performed on the certificate is listed in the Timeline tab.
FAQ: What is the validity of the Client Certificate and the Org Root Certificate from which the client certificate is created?
The validity of the Client Certificate is 10 years, and the validity of the Org Root Certificate from which the client certificate is created is 20 years.
Availability
All Certificate operations require necessary permissions. Refer to Users and Profiles document for more details.
Check Feature Availability and Limits
Check Feature Availability and Limits
See Also