meraj

meraj

NervesKey and Certificates Questions

I am very new to Embedded Systems and looking into Nerves to use in one of our IoT device. We are planning to use NervesKey on the board for secure communication channel.

As per my understanding, the primary key generated on NervesKey remain there and never leaves it. The device certificate will be generated based on the public key of this private key. This device certificate will be signed by an intermediate certificate which has some expiry set. So in this scenario, if the device certificate does not get updated on time, the communication channel will break and we won’t be able to access device.

To resolve this, we can notify the device 30 days before the expiration to update its certificate to continue using the same secure channel.

My questions in this regard are:

  1. Is it possible to update the device certificate as I believe it is going to be placed in in the storage of NervesKey which is available for modification. Is this correct understanding?
  2. For any reason if we are not able to update the certificate, we can always visit the site, connect via ssh to device over local network and copy the updated certificate. Is this correct as well?

Thank you.

Most Liked

fhunleth

fhunleth

Co-author of Nerves

Hi @meraj,

The NervesKey is really an ATECC608A. These chips are highly configurable so for Nerves, we decided on a setup that worked for our use cases of connecting to AWS IoT and NervesHub. There are two slots for keys and certificates: one slot is permanent and the other can be rewritten as much as you want (it’s called the aux slot for historical reasons). Everything is open-source, so you can modify it if you want, but my hope is that you don’t need to.

One thing to be aware of is that public key infrastructure is used more simply in practice with IoT services (I’m familiar with NervesHub and AWS IoT, but I’ve been told that others are similar).

So we’re using the same words: Devices have a public and private certificate. When using the ATECC608A, the private key in the private certificate is stored so that it never leaves the chip. The device’s public certificate is signed by another certificate generically called the signing certificate. This can be the CA certificate or an intermediate like in your case.

The crucial piece of information is that NervesHub, AWS IoT, and other services like that record device public certificates. That means that if a device is known to a service, ONLY the device’s public certificate needs to be valid to authenticate the device. That means that the signing certificate can be invalid and it won’t matter.

Of course, at some point in time you have to tell NervesHub or AWS IoT about your device. The server needs to know the signing certificate at this point. There are two ways of provisioning the server with new devices.

It can be done off the device. For example, if you make a lot of devices, you can write a script that records device certificates from the manufacturing line and upload them to the server. The certificates will need to be signed and the signing certificate needs to be valid for the server to accept the device certs.

The registration can also be done on the device. This is called JITP (just in time provisioning) on AWS and the idea is that the first time a device connects, the certificate chain will be validated and the device certificate registered. The downside to JITP is that if your device sits in a warehouse for a long time and the signing certificate’s expiration date passes, you’ll have to manually update the cert on the device for it to work.

The point is that there might be a way to avoid the 30 day re-signing of certificates.

Regarding your second question about SSH. If you have ssh running and the device is reachable, you’ll be able to get an IEx prompt. If your device is behind a firewall, then take a look at NervesHub. You have to enable IEx prompt access with NervesHub on your device, but if you do that, NervesHub will enable a button on the UI that will give you a shell window.

Hope this helps!

Where Next?

Popular in Questions Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
Kurisu
For example for a current url like http://localhost:4000/cosmetic/products?_utf8=✓&query=perfume&page=2, I would like to get: ...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New

Other popular topics Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 48342 226
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement