1. Home
  2. /
  3. Use cases
  4. /
  5. Digital identities for IoT products

Digital identities for IoT products

Opt for EJBCA PKI over OpenSSL and self-signed certificates when prototyping your IoT solution for enhanced long-term scalability and security. 

hero-sub-2

Challenge

Establish mutual trust between connected devices

To ensure cybersecurity in IoT solutions, edge devices, gateways, and servers must be capable of establishing mutual trust as well as trust in the firmware and software they execute. 

This can only be achieved by equipping each system with at least a unique and secure digital identity. This identity must be small enough to be hosted inside a limited memory, strong enough to comply with the latest cybersecurity standards, and easy to check so that even small devices can verify who they are talking to and whether their firmware is genuine. 

It must also be issued and managed securely so that every owner and use case can draw their private circle of trust and decide who can enter or intersect with it. The widely accepted technology for this is public key infrastructure (PKI) and the digital identities are digital certificates following the X.509 standard.

For developers crafting connected devices or cybersecurity experts overseeing their deployment and operational security, integrating trusted digital identities is indispensable to shield against potential cyber threats. Modern industry standards and recommendations also call for PKI and X.509 certificates to secure and authenticate communication, software, and supply chains for IoT. Examples of such standards and recommendations are: 

  • IEEE802.1AR - Definition of IdevID and LDevIDs, respectively, the initial device certificate issued/injected by the OEM PKI and operational certificates issued and renewed by the operator PKI.
  • Matter - usage of two chains of certificates, DAC and NOC respectively device attestation certificate issued/injected by the OEM PKI and node operational certificates issued and renewed by the network commissioner PKI.
  • HTTPS, MQTTS - securing HTTP and MQTT with the mutual (D)TLS protocol using X.509 certificates provisioned on both sides by their respective PKI.
  • IEEE1609.2, C-ITS, ITS - standardization of digital security for vehicle-to-anything (V2X) communications, using PKI and certificates extensively.
F-Keyfactor_Illustration-Certificates and PKI
arrow

Solution

Start your Matter IoT certificate and PKI journey with confidence 

While free certificate issuance tools like Open SSL and self-signed certificates may be convenient for software development and test purposes, they are not recommended for production. Ensuring a smooth and secure transition to the next development phase is important. Using EJBCA's Community edition or our free Enterprise trials, you can establish the necessary private circles of trust while testing and prototyping. 

By following our step-by-step guides and watching our instructional videos, you can easily establish a PKI that enables you to generate certificates for your industrial infrastructure and IoT devices. Once you have set up your PKI, you can customize it to meet your specific requirements. You will have a fully operational PKI for your test devices, complete with Certificate Authorities, roles, certificate profiles, a configured use case/issuing protocol, and revocation support. 

Get started with video tutorials and how-tos:

  • Get started with birth identities based on IEEE 802.1AR
  • Get started with certificates for your Matter IoT devices 
  • Certificates for TLS and mTLS, manually or via REST

Tutorials

EJBCA logo website
Birth Identities
IoT
2023-05-30

Get started with birth identities based on IEEE 802.1AR

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
IEEE 802.1AR
EJBCA logo website
IoT
2023-05-30

Get started with Matter IoT

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
Matter
DevOps
IoT
TLS & mTLS
2023-02-06

Client TLS certificates for mTLS, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS
EJBCA logo website
DevOps
IoT
TLS & mTLS
2023-02-06

Server TLS certificates, manual issuance

{At sit et cras neque etiam cursus vulputate tempor enim. Quisque suspendisse nunc massa eleifend est ultrices. Facilisi ut a augue pellentesque quam nibh. Sit nisl.|=##=|162821}
mTLS

Get inspired

Stay up to date with the latest news and blog articles, and find out about upcoming events related to EJBCA.

Keyfactor Release
Implementing Cryptography
Post-Quantum Cryptography
Release
Ejbca
Signserver
4 December, 2024

NIST PQC Support and more – Bouncy Castle C# .NET 2.5.0

New release: Bouncy Castle C# .NET 2.5.0
PKI hierarchies - 1, 2, 3 tiers ?
DevOps
Signing
Tech Update
Ejbca
Signserver
3 December, 2024

#KEYMASTER: The Emerging Practices around Attestations and SBOMs

Building policy-driven and compliant software supply chains   Join Sven...
PKI hierarchies - 1, 2, 3 tiers ?
Post-Quantum Cryptography
Tech Update
Ejbca
Signserver
26 November, 2024

#KEYMASTERS – Understanding Key Encapsulation Mechanisms (KEM)

In this Keymaster episode, Sven Rajala, International PKI Man of Mystery, has...

Related open-source projects