Score:0

For an IoT device is there a way to associate a certificate authority that will not expire in a year so the device can roll certs periodically?

us flag

To me it is a chicken and egg thing. I want an architecture that will always have the device renewing keys on updates or periodically. Initially, I can have manufacturer setup the CA on the device. But that can't be a long term thing like 30 years as it is not advised. So let's say it is a 1 year CA.

I am not to pass any private keys over how do I create a CSR to obtain a new cert if my cert is perhaps expired? How could I ever get a new cert unless that would mean I would have to firmware update the device and reset it to a firmware with the new CA. Such as an OTA update.

If it is not expired I guess I could periodically "update" the device so there isn't a factory reset but a simple update which would do things like reset the CA or even request a new CA on the device so as to be able to renew the client (device) key.

Am I thinking of this correctly?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.