1. Home
  2. /
  3. Use cases
  4. /
  5. Digital identities for IoT products

Digital identities for IoT products

Opt for EJBCA PKI over OpenSSL and self-signed certificates when prototyping your IoT solution for enhanced long-term scalability and security. 

hero-sub-2

Challenge

Establish mutual trust between connected devices

To ensure cybersecurity in IoT solutions, edge devices, gateways, and servers must be capable of establishing mutual trust as well as trust in the firmware and software they execute. 

This can only be achieved by equipping each system with at least a unique and secure digital identity. This identity must be small enough to be hosted inside a limited memory, strong enough to comply with the latest cybersecurity standards, and easy to check so that even small devices can verify who they are talking to and whether their firmware is genuine. 

It must also be issued and managed securely so that every owner and use case can draw their private circle of trust and decide who can enter or intersect with it. The widely accepted technology for this is public key infrastructure (PKI) and the digital identities are digital certificates following the X.509 standard.

For developers crafting connected devices or cybersecurity experts overseeing their deployment and operational security, integrating trusted digital identities is indispensable to shield against potential cyber threats. Modern industry standards and recommendations also call for PKI and X.509 certificates to secure and authenticate communication, software, and supply chains for IoT. Examples of such standards and recommendations are: 

  • IEEE802.1AR - Definition of IdevID and LDevIDs, respectively, the initial device certificate issued/injected by the OEM PKI and operational certificates issued and renewed by the operator PKI.
  • Matter - usage of two chains of certificates, DAC and NOC respectively device attestation certificate issued/injected by the OEM PKI and node operational certificates issued and renewed by the network commissioner PKI.
  • HTTPS, MQTTS - securing HTTP and MQTT with the mutual (D)TLS protocol using X.509 certificates provisioned on both sides by their respective PKI.
  • IEEE1609.2, C-ITS, ITS - standardization of digital security for vehicle-to-anything (V2X) communications, using PKI and certificates extensively.
F-Keyfactor_Illustration-Certificates and PKI
arrow

Solution

Start your Matter IoT certificate and PKI journey with confidence 

While free certificate issuance tools like Open SSL and self-signed certificates may be convenient for software development and test purposes, they are not recommended for production. Ensuring a smooth and secure transition to the next development phase is important. Using EJBCA's Community edition or our free Enterprise trials, you can establish the necessary private circles of trust while testing and prototyping. 

By following our step-by-step guides and watching our instructional videos, you can easily establish a PKI that enables you to generate certificates for your industrial infrastructure and IoT devices. Once you have set up your PKI, you can customize it to meet your specific requirements. You will have a fully operational PKI for your test devices, complete with Certificate Authorities, roles, certificate profiles, a configured use case/issuing protocol, and revocation support. 

Get started with video tutorials and how-tos:

  • Get started with birth identities based on IEEE 802.1AR
  • Get started with certificates for your Matter IoT devices 
  • Certificates for TLS and mTLS, manually or via REST

Tutorials

EJBCA logo website
Birth Identities
IoT
2023-05-30

Get started with birth identities based on IEEE 802.1AR

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
IEEE 802.1AR
EJBCA logo website
IoT
2023-05-30

Get started with Matter IoT

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
Matter
DevOps
IoT
TLS & mTLS
2023-02-06

Client TLS certificates for mTLS, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS
EJBCA logo website
DevOps
IoT
TLS & mTLS
2023-02-06

Server TLS certificates, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS

Get inspired

Stay up to date with the latest news and blog articles, and find out about upcoming events related to EJBCA.

PKI hierarchies - 1, 2, 3 tiers ?
Installation & Deployment
Tech Update
Ejbca
Signserver
8 October, 2024

#KEYMASTERS – What is Bring Your Own Key (BYOK), and why should you use it?

In this KEYMASTER session, Jiannis Papadakis, Director of Solutions Engineeri...
Tony-Chen-at-SOSS-Community-Day-Japan
Post-Quantum Cryptography
Event
3 October, 2024

Join us at SOSS Community Day Japan on October 30

Get quantum ready with Tony Chen He, CISSP, Solution Engineer, Keyfactor, as...
Eric-Mizell-at-SOSS-Fusion-2024
Post-Quantum Cryptography
Event
3 October, 2024

Join us at SOSS Fusion 2024 in Alpharetta, GA on October 23

Start the Quantum Readiness Journey with Hands-on Guidance Join Eric Mizell,...

Related open-source projects