Managing trusted certificates

Cumulocity allows devices to connect via MQTT protocol using a X.509 certificate for authentication. To do so, a certificate must be trusted by Cumulocity. A certificate is trusted when it is added to the trusted certificates and is in activated state.

Info
This section describes how to manage trusted certificates. For information on connecting devices using certificates refer to Device certificates.

Click Trusted certificates in the Management menu in the navigator.

All certificates owned by the tenant will be displayed.

Trusted certificates List

The Status column indicates if the certificate is enabled or disabled. At any given time a tenant can have any number of enabled or disabled certificates. Expand a certificate by clicking the arrow icon at the right to view more details.

The information in the table at the right side is extracted from the provided certificate. The content is read-only and cannot be changed.

Trusted certificate details

To add a certificate

Before adding a new trusted certificate, make sure that:

  • It is a X.509 certificate in PEM format.
  • It is in version 3.
  • It contains BasicConstraints:[CA:true].
  • It has not already been uploaded to Cumulocity.
  • It is still valid (not expired).

To add a certificate perform these steps:

  1. Click Add trusted certificate at the right of the top menu bar.
  2. In the resulting dialog box, provide the following information:
Field Description
Certificate name User-provided name for the certificate. This name is not used by Cumulocity and can serve as a description of the certificate.
Certificate File containing the certificate in PEM format. Add the file by dropping it into this field or browsing for it in your file system.
Auto registration If selected, new devices which use a certificate signed by the authority owning this trusted certificate will automatically be registered. The option does not support devices using the LWM2M protocol.
Enabled/ Disabled When disabled, devices which use a certificate signed by the authority owning this certificate, will not be able to connect.
  1. Click Add Certificate to validate and save the certificate.
Info
For performance reasons, you shouldn’t add the certificates of each device you want to connect, but only add the root certificate or one of the intermediate certificates from the chain which has been used to sign certificates used by devices.

To edit a trusted certificate

In the detail view of a certificate you may change the parameters on the left, that is, the certificate name, and the settings for the auto registration and enabled/disabled option.

For details on the fields, see the description on adding certificates above.

To delete a trusted certificate

To permanently delete a certificate from the trusted certificates list, click the delete icon at the right of the respective entry and in the context menu click Delete. The certificate will be permanently deleted.