Here you'll find guidelines on how to set up your IoT configuration and client certificate when authenticating and authorizing clients with mutual authentication.
If you want to use a serial number of the certificate that clients present to edge servers as an authorization group, pay attention to the following tips and considerations:
Edge servers use hexadecimal notation when performing operations on serial numbers extracted from client certificates.
To check the hexadecimal value of a serial number in a client certificate, you can use the following command:
openssl x509 -in <cert_file.crt> -noout -text -serial.
Important: To use a serial number as an authorization group in the access control lists of your namespace configuration:
- Convert the serial number to lowercase.
- If present, remove the
0xprefix from the serial number value.
Let's see an example:
Serial number as an authorization group in the Mutual Authentication behavior of the IoT Edge Connect configuration
A piece of a client certificate showing a serial number in hexadecimal notation
93:e8:35:81:7c:5b:6d:77:6f:ab:e3:3c:b7:f4:41:34:ff:30: 35:54:71:43:28:40:5f:8f:d2:34:ac:79:a7:1c:a7:9e:77:70: 46:22:b8:ea:60:31:98:10:e3:b9:ef:a7:72:86:63:f2:10:8d: 5f:bc:59:7a:4e:9d:be:fd serial=FAED42417F79A88D
Serial number as an authorization group in the access control lists of the namespace configuration
In this example, this serial number value in a client certificate:
FAED42417F79A88D matches this authorization group in the namepsace configuration:
Updated about 1 year ago