Guidelines

Here you'll find guidelines on how to set up your IoT configuration and client certificate when authenticating and authorizing clients with mutual authentication.

Serial number as an authorization group

If you want to use a serial number of the certificate that clients present to edge servers as an authorization group, pay attention to the following tips and considerations:

  • Edge servers use hexadecimal notation when performing operations on serial numbers extracted from client certificates.

  • To check the hexadecimal value of a serial number in a client certificate, you can use the following command: openssl x509 -in <cert_file.crt> -noout -text -serial.

  • Important: To use a serial number as an authorization group in the access control lists of your namespace configuration:

    • Convert the serial number to lowercase.
    • If present, remove the 0x prefix from the serial number value.

Let's see an example:

Serial number as an authorization group in the Mutual Authentication behavior of the IoT Edge Connect configuration

serial-number-auth-group-ma

A piece of a client certificate showing a serial number in hexadecimal notation

     93:e8:35:81:7c:5b:6d:77:6f:ab:e3:3c:b7:f4:41:34:ff:30:
     35:54:71:43:28:40:5f:8f:d2:34:ac:79:a7:1c:a7:9e:77:70:
     46:22:b8:ea:60:31:98:10:e3:b9:ef:a7:72:86:63:f2:10:8d:
     5f:bc:59:7a:4e:9d:be:fd
serial=FAED42417F79A88D

Serial number as an authorization group in the access control lists of the namespace configuration

serial-number-auth-group-access-ctrl-list

In this example, this serial number value in a client certificate: FAED42417F79A88D matches this authorization group in the namepsace configuration: faed42417f79a88d.

See also: