Pros and Cons of implementing custom certificate provisioning for IoT devices
I`m working on a project for improving security of IoT devices by using per device X.509 certificate for authentication. The company uses IoT sensors, created inhouse, to gather data for analytics.
Initially we considered Azure`s IoT Hub, since it supports certificate authentication, but after further reading, we understood that it has no built in way to provide appropriate certificate to the end device. Also the communication can only go through the IoT Hub and we have already implemented two way communication. Ideally we want to enhance our existing communication security with certificates.
The device we need to secure is a gateway that gathers data from multiple end sensors and sends it to our cloud backend. It is running Linux OS and Python inside Docker containers. Parameters: Armv7 Cortex-A8, 1GB RAM. It also has TPM.
Currently our plan is to provide the device with a device specific certificate. Using the certificate we can establish mTLS with our backend.
Currently we are considering the following options to provide certificate for the end device:
- Using Enrollment over Secure Transport(EST) service from external provider to get a certificate directly from the device. Main concern here is cost.
- Putting intermediate CA cert in the end device via OTA update and using this CA to sign device specific "leaf" certificate entirely inside the device.
- Implementing custom API in our backend that receives a Certificate Signing Request, signs the new certificate with our CA in the backend, and returns a device specific certificate.
The concern with the last 2 approaches is missing functionality, like certificate revocation, and possible security vulnerabilities, because of the custom implementation. On the other hand, our use case might not need the full functionality of a certificate provider i.e. instead of revoking a certificate, we can stop the access of a certain device based on ID in the application layer.
In short our questions are - is it feasible at all to consider custom implementation for this? Are there any other approaches? Any other angles we need to consider and vulnerabilities we need to cover?
It is clear we are no security experts so any feedback will be appreciated. Thank you!
