Managing trusted certificate settings

Cumulocity allows administrators to fine-tune various certificate configurations. Currently, Certificate Revocation List (CRL) is supported.

Info
This section targets at advanced users for granular control over certificate attributes like CRL, OCSP, Certificate Policy and PKI. If you are unfamiliar with these terms it’s advisable to leave the defaults. Bad configuration might result in changes which cannot be reversed.

CRL settings

In general, Certificate Revocation List (CRL) contains a list of serial numbers of revoked certificates. These are issued by Certificate Authorities (CAs) periodically and published through an endpoint called CRL Distribution Point (CDP). Revocation reasons and dates are included in the CRL.

In Cumulocity terms, if there is a breach at device certificates signed by a trust anchor, users can inform the platform about the revoked certificates in two ways:

  1. Online revocation : To perform online revocation checks, the device administrator is expected to upload a trusted CA which maintains the CRLs with the list of revoked certificate serial numbers and should provide this information in its CDP attribute.
  2. Offline revocation : The trusted CA doesn’t maintain the revocation details of the certificates, in which case, the platform users can manually upload the serial numbers of the revoked certificates.

Note that both online and offline CRL checks are by default unchecked.

Important
Certificate revocation is an irreversible process. So, offline entries once made cannot be removed.

To enable online revocation

CRl Details

  1. Click CRL check in the upper right corner of the screen.
  2. Enable the Online option.

To enable offline revocation

CRl Details

  1. Click CRL check in the upper right corner to enable the offline revocation of the screen.

  2. Check the Offline checkbox.

  3. To add revoked certificate serial numbers manually, enter the serial number and date in the Revoked certificates list panel.

    Click Down to add new entries in the format below:

    Field Description Example
    Serial number Must be a hexadecimal value. 0b8a5b9dd501a88775399b9a048811a3
    Date (optional) Date format: yyyy-MM-dd'T'HH:mm:ss.SSS'Z'. 2024-01-17T10:48:51.000Z
    1. Click Save to confirm your entries.
Info
If the date field is empty or a future date, then the current date is used.

Offline CRL bulk upload

Info
Revoked certificate serial numbers can be added in bulk. Each file can hold at maximum 5000 revocation entries. If the date is in the future then it defaults to the current date. In case of a duplicate, the existing entry is retained.

To bulk upload, follow these steps:

  1. Download the CSV template from the Revoked certificates list panel.
  2. Fill in all revoked certificate serial numbers and revocation dates.
  3. Upload the filled CSV file using file upload.

To download or view the offline CRL file

In the Revoked certificates list panel, click Download CRL file.