1. Home
  2. /
  3. Use cases
  4. /
  5. Digital identities for IoT products

Digital identities for IoT products

Use EJBCA PKI instead of OpenSSL and self-signed certificates while developing your IoT solution to ensure long-term scalability and security.

hero-sub-2

Challenge

Establish mutual trust between connected devices

To ensure cybersecurity in IoT solutions, edge devices, gateways, and servers must be capable of establishing mutual trust as well as trust in the firmware and software they execute.

This can only be achieved by equipping each system with at least a unique and secure digital identity. It must be small enough to be hosted inside a limited memory, strong enough to comply with the latest cybersecurity standards, and easy to check so that even small devices can verify who they are talking to and whether their firmware is genuine.

It must also be capable of supporting the derivation of robust session keys without exposing any secrets over any channel, and flexible enough so that every company can draw their own private circle of trust and decide who can enter or intersect with it. The technology does exist: it is called “private-public key infrastructure” and the digital identities are “digital certificates” following the X.509 standard.

As a developer of connected devices and machines or a cybersecurity expert supervising their deployment and operational security, implementing such technology is essential to safeguard against potential cyber threats. Modern industry standards and recommendations call for PKI and X.509 certificates to secure and authenticate communication, software, and supply chains for IoT. Examples of such standards and recommendations are:

  • IEEE802.1AR - definition of IdevID and LDevIDs, respectively initial device certificate issued/injected by the OEM PKI and operational certificates issued and renewed by the operator PKI.
  • Matter - usage of two chains of certificates, DAC and NOC respectively device attestation certificate issued/injected by the OEM PKI and node operational certificates issued and renewed by the network commissioner PKI.
  • HTTPS, MQTTS - securing HTTP and MQTT with the mutual (D)TLS protocol using X.509 certificates provisioned on both sides by their respective PKI.
  • IEEE1609.2, C-ITS, ITS - standardization of digital security for vehicle-to-anything (V2X) communications making extensive usage of PKI and certificates.
F-Keyfactor_Illustration-Certificates and PKI
arrow

Solution

Issue and manage certificates for your IoT devices in production and operations

While free certificate issuance tools and self-signed certificates may be convenient for software development test purposes, they are not recommended for deployment. Unlike a PKI, self-signed certificates cannot draw the private circles of trust expected by all the standards. EJBCA is scalable, enterprise-grade, and easy to deploy, also for testing and prototyping as well as production purposes.

Using our best practices how-to and videos, you can set up a PKI to issue certificates for your industrial infrastructure and IoT devices. Once you're up, you can start tailoring your PKI and you'll have a fully functional PKI, including Certificate Authorities, roles, certificate profiles, a configured use case/issuing protocol, revocation support, and system documentation.

Get started with video tutorials and how-tos:

  • Get started with birth identities based on IEEE 802.1AR (soon available)
  • Get started with Matter IoT
  • Certificates for TLS and mTLS, manually or via REST

Tutorials

EJBCA logo website
REST
2023-06-18

Automated certificate issuing via EJBCA REST

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
PYTHON / POSTMAN
EJBCA logo website
Birth Identities
IoT
2023-05-30

Get started with birth identities based on IEEE 802.1AR

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
IEEE 802.1AR
EJBCA logo website
IoT
2023-05-30

Get started with Matter IoT

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
Matter
DevOps
IoT
TLS & mTLS
2023-02-06

Client TLS certificates for mTLS, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS
EJBCA logo website
DevOps
IoT
TLS & mTLS
2023-02-06

Server TLS certificates, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS

Get inspired

Stay up to date with the latest news and blog articles, and find out about upcoming events related to EJBCA.

Bouncy Castle
Implementing Cryptography
Post-Quantum Cryptography
Release
Ejbca
Signserver
22 November, 2023

Advancing Quantum-Ready Security: PQC FIPS standards, interoperability, and API enhancements in BC 1.77

Updates to PQC FIPS standards and interoperability testing Updating PQC FIPS...
EJBCA inläggsbild
DevOps
Implementing Cryptography
Industrial Cybersecurity & IoT
Installation & Deployment
Post-Quantum Cryptography
Signing
Tech Update
Ejbca
16 November, 2023

Learn how to upgrade your EJBCA Docker container to the latest version

Exciting news! Check out our brand-new Tutorial page and video designed to ma...
Community_Tech_Meetup_Prof1
DevOps
Implementing Cryptography
Industrial Cybersecurity & IoT
Installation & Deployment
Post-Quantum Cryptography
Signing
Blog
Ejbca
Signserver
20 September, 2023

Unveiling the highlights of the Keyfactor Community Tech Meetup 2023

What a remarkable day it was at the Keyfactor Community Tech Meetup 2023, on...

Related open-source projects