I am trying to setup my device to connect to nerveshub. I managed to make it work the easy way, by providing a shared secret, but now I’m struggling to understand how to setup it properly using my own CA. After reading through Client-side SSL for devices, there are few strange things that don’t make sense to me:
The private keys associated with these certificates are never seen by NervesHub.
In the UI (org → certificates) I’ve uploaded 2 files:
- verificationCert.crt - which is a certificate I generated following the instructions with my own rootCA;
- rootCA.pem - the contents of this file is not entirely clear to me, it should contain the certificate chain? for example in my case if I have rootCA → verificationCert, what should this file contain? At the moment I have the self-signed certificate and the private key of rootCA in that pem file and it seems it was accepted, however from above statement, I don’t think private key belongs here.
Afterwards the instruction on the device setup says the following:
The signer CA must be included in the connection request alongside the NervesHub intermediate CAs.
This part is the most confusing, as I would expect the connection to web part of nerveshub to be using the letsencrypt certificate I use to serve https traffic. So then the question is, why do I need this intermediate CA be added on the device?
PS: I’ve never used similar services before, if you know where I can read better documentation on this, for example how AWS is doing this, that would be highly appreciated.
