Skip to main contentSkip to page footer

 |  Blog

Integrating an edge device - securely

Not a good start: you open the website of your new router and the browser greets you with a conspicuous security warning. The same problem arises with IoT and edge devices that are integrated into an internal network. As soon as the device is accessed with the browser, the security warning appears.

Read this blog post to find out how IoT and edge devices can be securely integrated into an internal network.

The TLS protocol has become established for secure communication between participants in the network. It encrypts the data, but also ensures the integrity of the transmitted data and, which is particularly important in this context, ensures that users can be sure that they are talking to the expected communication partner. Certificates are used for this purpose. Recognized authorities confirm such certificates. There are numerous providers on the internet who offer the confirmation (signing) of a certificate as a service. Browsers then automatically trust such certificates.

So far, so good. However, a manufacturer of devices with web servers (which are not used on the public Internet, but in local networks) faces a different problem. He wants to offer secure communication, but cannot offer a generally valid certificate for the device's web server. This only works for public websites that can be clearly identified by a domain name, for example. 

The device manufacturer cannot fully solve this problem, which is why self-signed certificates are often used on devices. This means that the device is in principle able to use TLS. However, web browsers rightly display a security warning in this case: The device's certificate is not trustworthy as the identity of the device has not been confirmed. This is not only an obstacle for users, but also poses considerable security risks such as Man in the Middle (MITM) attacks.

There are various solutions to this problem.

On the internet, a public Certificate Authority (CA) confirms the website identity based on the domain name. The browser displays a small lock as an indicator.

On the local network, the operator can be enabled to use their own local CA to create the device certificate. For this purpose, a private key is generated on the device and stored securely. This is then used to generate a Certificate Signing Request (CSR) and made available to the operator so that they can generate the device certificate with their CA.

 

How it works

Step 1: Create root certificate for the local CA

A root certificate is technically a self-signed certificate that serves as a trust anchor on the client devices. This root certificate should be created with strong encryption algorithms. For local use, it is not absolutely necessary for the operator to set up a complete PKI (Public Key Infrastructure). However, the root certificate should be stored as securely as possible so as not to jeopardize the security of the local network.

The root certificate must be installed on all clients in order to create trust in the certificates used by the network devices. Why? If the root certificate is installed on the clients, the operating system recognizes the certificates signed by this root certificate as trustworthy. Without the root certificate installed, the clients would continue to display warning messages about untrusted certificates.

Step 2: Generate certificate signing request

A private key and a Certificate Signing Request (CSR) are generated for each network device. The CSR contains the information required for the device certificate, such as the public key and the identity information, i.e. the IP address or the local DNS name of the device, which the CA can use to issue a signed device certificate.

During the generation of the CSR, it is extremely important to ensure that the device's private key never leaves the device, i.e. is never transmitted on the network. The private key should be stored securely and protected against unauthorized access.

Step 3: Signing and installing the certificate

In the final step, the operator creates the device certificate using their local CA and the CSR and signs it with the root certificate. The signed device certificate is then installed on the device. This ensures that the device is now trusted by all clients that trust the root certificate.

 

Conclusion

In local networks, device certificates cannot be issued and verified by public CAs. This is why routers, IoT and edge devices are usually delivered ex works with self-signed certificates for TLS. However, these cannot be verified by the clients in their own network. This leads to trust issues and security warnings. As a solution, the device manufacturer should enable the operator to use certificates that are signed by a local CA. In this way, they can create trust between the devices and improve the security of the local network.

Our team of experts will show you how you can easily integrate your IoT and edge devices into an internal network. Just get in touch with us.

About the author

 

Max Markon works at M&M Software GmbH in the IoT & Edge division with a passion for automation and cloud technologies. He studied General Computer Science with a specialization in IT Security and Networks at Furtwangen University. He has been able to apply and expand his knowledge in practice in numerous projects at M&M Software.

Created by