Tutorial - Get started with device identities based on IEEE 802.1AR
Learn how to configure EJBCA to generate device identities and test the mechanisms described in the IEEE standard 802.1 AR.
IEEE 802.1 AR is a standard developed by the Institute of Electrical and Electronics Engineers (IEEE) for secure device identification and authentication in network environments. It is part of the broader IEEE 802.1 family of standards focused on local and metropolitan area network technologies.
The standard provides a framework for establishing trust between network devices, enabling them to communicate and interact securely. It addresses the challenges of identifying and verifying the authenticity of devices on a network, helping to prevent unauthorized access, tampering, or malicious activity.
By implementing this standard, organizations can establish trust relationships between devices, preventing unauthorized access and protecting against rogue devices. IEEE 802.1 AR utilizes digital certificates to authenticate devices, ensuring only authorized and trusted devices can access the network. This protocol promotes interoperability, scalability, and future-proofing, enabling organizations to easily integrate devices from different vendors and adapt to evolving network environments.
In this tutorial, you will learn how to:
Configure an issuing Certificate Authority (CA) to provision Initial Device Identifiers (IDevIDs)
Configure certificate profiles and end entity profiles for an IDevID
Test the EJBCA PKI setup by requesting a certificate from a test client
Prerequisites
Before you begin, you need to have a Root Certificate Authority (CA) set up in EJBCA. To learn how to set up a Root CA, you can follow the tutorial Create your first Root CA using EJBCA.
You also need a configured REST interface. For information on enabling the EJBCA REST API Certificate Management service to allow issuing certificates with an EJBCA, see EJBCA REST Interface.
Step 1 - Create Sub CA
The following sections cover how to configure a Sub CA in EJBCA, that is how to create an issuing CA to provision Initial Device Identifiers (IDevIDs).
Create Sub CA crypto token
Follow the steps to create crypto tokens holding the subordinate CA signing keys needed for creating the CA in a later step.
To create a Sub CA soft crypto token and keys, follow these steps:
In the EJBCA menu, under CA Functions, click Crypto Tokens.
Click Create new and specify the following on the New Crypto Token page:
Name: Specify a name for the Sub CA crypto token, in this example IDevIdCa-CryptoToken.
Auto-Activation: Click Use to enable.
Allow export of private keys: Click Allow to enable.
Authentication Code: Enter a password to be used to activate the crypto token. Remember this password.
Click Save to create the Sub CA crypto token.
Next, generate three CA keys:
For the signKey, use the default RSA 4096 and click Generate new key pair to create the keys.
Repeat to create an internal encryption key: name the key encryptKey and use the default RSA 4096 and click Generate new key pair.
Last, repeat to create a test key: name the key testKey, select RSA 2048, and then click Generate new key pair.
You have now created the Sub CA crypto token and keys.
Create Sub CA certificate profile
Next, create a certificate profile for the issuing Sub CA. The certificate profile defines the constraints of new certificates, for example, what keys it can use, and what the extensions will be. For an introduction to certificate profiles, see the Certificate Profiles Overview.
To create a certificate profile for creating the issuing Sub CA in the next step, follow these steps:
In EJBCA, under CA Functions, click Certificate Profiles.
The Manage Certificate Profiles page displays a list with default profiles.Specify a name for the Root CA in the bottom row, such as "IssuingCaProfile-IDevId" and click Add.
Find the newly created profile displayed in the list and click Edit.
On the Edit page, update the following:
For Type, select Sub CA.
For Available Key Algorithms, select ECDSA and RSA.
For Validity or end date of the certificate, specify 10y.
Click Save to store the issuing CA certificate profile.
The newly created profile is displayed in the list of certificate profiles.
Create Sub CA
To create the issuing CA, follow these steps:
Click Certification Authorities under CA Functions.
In the Add CA field, enter a name such as "IssuingCa-IDevId" and click Create.
On the Create CA page, update the following:
For Crypto Token, select the Sub CA crypto token IDevIdCa-CryptoToken (created earlier in the step Create Sub CA crypto token).
Note that the keys are mapped for their intended usages and the defaultKey, certSignKey, and testKey are automatically selected with the keys you created.
Under CA Certificate Data, specify the following:
Signed By: Select your RootCa.
Certificate Profile: Verify that the issuing CA profile is selected, in this example IssuingCaProfile-IDevId
Validity: Specify 10y.
Click Create to create the Sub CA.
The created issuing Sub CA is displayed in the list of CAs.
Step 2 - Create end entity profiles
The following sections cover how to create the certificate profile and end entity profile for the Initial Device Identifier (IDevID).
Create end entity certificate profile
To create an end entity certificate profile, follow these steps:
In EJBCA, under CA Functions, click Certificate Profiles.
Specify a name for the profile in the bottom row, such as "EndEntityProfile-IDevId" and click Add.
Find the newly created profile displayed in the list and click Edit.
On the Edit page, verify that the type is End Entity and update the following:
For Available Key Algorithms, select ECDSA and RSA.
For Validity or end date of the certificate, specify 9999-12-31 to specify an unlimited validity according to the specification.
Verify that Extended Key Usage is enabled and select Client Authentication.
Click Save to store the certificate profile.
The newly created profile is displayed in the list of certificate profiles.
Create end entity profile
An end entity is a user of the PKI, like a device, person, or server. It is called the end entity as, in a hierarchy of certificates in the PKI, it is the endpoint and not authorized to issue any certificates of its own.
To create a Sub CA end entity to prepare for issuing a certificate, follow these steps:
In EJBCA, under RA Functions, click End Entity Profiles.
In the Add Profile field, add a name for the new profile, in this example EndEntity--IDevId, and click Add profile.
Select the newly created profile, and click Edit End Entity Profile to update the profile.
Edit the profile and update the following:
Under Subject DN Attributes:
Add O, Organization and leave the default Modifiable selected.
Add C, Country and leave the default Modifiable selected.
Add serialNumber, Serial number (in DN) and leave the default Modifiable selected.
Under Other Subject Attributes, you can specify options for Subject Alternative Name (SAN).
In the Subject Alternative Name list, select Uniform Resource Identifier (URI) and click Add. For the displayed Uniform Resource Identifier (URI) field, leave the default Modifiable selected.
In the Subject Alternative Name list, select IP Address and click Add. For the displayed IP Address field, leave the default Modifiable selected.
For Default Certificate Profile, select the EndEntityProfile-IDevId profile (created earlier in Create end entity certificate profile).
For Available Certificate Profiles, select the EndEntityProfile-IDevId profile (created earlier in Create end entity certificate profile).
For Default CA, select the IssuingCa-IDevId (created earlier in Create Sub CA).
For Available CAs, select the IssuingCa-IDevId (created earlier in Create Sub CA).
For Default Token, select P12 file.
Click Save to store the end entity profile.
The newly created profile is displayed in the list of end entity profiles.
You now have now configured an issuing CA to provision Initial Device Identifiers (IDevIDs) and the certificate profile and end entity profile for the IDevID and can continue to the next step to test your setup with a software stack.
Step 3 - Test the EJBCA PKI setup by requesting a certificate from a test client
The following section describes the bootstrapping process of a device. A key pair is generated locally, a CSR is generated and sent to the PKI via REST. The stack used is written in Python and is part of an implementation that has implemented the basic functions of IEEE 802.1 AR. We use a removable HSM to store the keys and certificates, accessible via a PKCS#11 interface.
Before the stack can be used, the environment must be initialized. Note that individual adjustments will result depending on the setup. In this example, this mainly concerns the HSM used.
To prepare the environment, follow the steps described in the setup repository on GitHub. The repository contains the complete stack with extended functions that are not part of this tutorial.
The issuing of the initial device identifier can be executed via /app/apis/adapters/_bootstrap_idev.py.
The specific configuration of the PKI (URL, credentials, P12 token) is defined via /app/apis/adapters/__config__.py.
After a successful configuration, the bootstrap process executes the following steps:
setup_idev_id() - Sets the necessary parameters for labels, a random Common Name and a random Serial Number.
create_key() - Creates an RSA private/public key pair on the HSM.
generate_csr() - Creates a CSR with the previously generated key pair.
request_cert() - Creates a certificate request using the parameters defined in __config__py.
import_certificate() - Imports the certificate created by EJBCA into the HSM.
The issued IDevID can now be used as a basis for further operations which are also described in IEEE 802.1. For example, when bootstrapping an LDevID, the IDevID stored on the device must be validated before the bootstrapping process is performed.
Next steps
In this tutorial, you learned how to configure an issuing CA and profiles in EJBCA in order to generate Initial Device Identifiers (IDevIDs) described in the IEEE 802.1 AR standard.
Next, you can browse our other video tutorials on the Keyfactor Community YouTube channel.