Certificates and keys

Definitions

Within this document, there are several public or private keys mentioned that are relevant for the agrirouter. The following table shall give an overview of the different Keys/Certificates and their usage:

Name Description Usage

agrirouter public key

A certificate to prove the identity of the agrirouter. Only the public key is available to developers

Verify the signature in the authentication process

Application Key Pair

The key pair that can be provided to or created by the agrirouter when creating a new software.

Create the signature for the onboarding Process

Endpoint Certificate

The certificate of an endpoint, used for the encrypted communication with the agrirouter

Standard communication in REST or MQTT; "Everything after onboarding"

agrirouter public keys

These are the public keys used by the agrirouter. These are required for example to verify redirect messages from agrirouter in the authorization process.

Area Environment Public Key

EU

Quality Assurance "QA"

 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8xF9661acn+iS+QS+9Y
3HvTfUVcismzbuvxHgHA7YeoOUFxyj3lkaTnXm7hzQe4wDEDgwpJSGAzxIIYSUXe
8EsWLorg5O0tRexx5SP3+kj1i83DATBJCXP7k+bAF4u2FVJphC1m2BfLxelGLjzx
VAS/v6+EwvYaT1AI9FFqW/a2o92IsVPOh9oM9eds3lBOAbH/8XrmVIeHofw+XbTH
1/7MLD6IE2+HbEeY0F96nioXArdQWXcjUQsTch+p0p9eqh23Ak4ef5oGcZhNd4yp
Y8M6ppvIMiXkgWSPJevCJjhxRJRmndY+ajYGx7CLePx7wNvxXWtkng3yh+7WiZ/Y
qwIDAQAB
-----END PUBLIC KEY-----

EU

Production

 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCxD31sYtzH9NTfZ6n8H
+H/QgOaoTL9GAakplAsdwYSLjBpgYMZOHIgkdM9ksRP8WsITChtZtxrCnBjR8bap
ekPT/pM9zPZlNEPxUlylJNwwTWjzTJP03+Yr07Q8v8fTJ5VWzAHlHtGQ/sI7yXA8
pzruTNre1MzxO3lkljt2Q2e7CVXAp1b53BghgysppL9Bl7NK1R+vdWSs0B1Db/Gj
alOkWUnhivTjRMX61RGDCQSVSEaX12EvJX7FooAsW3NFeZCgeZGWEa5ZMALIiBL4
GNASOOHju7ewlYjkyGIRxxAoc3C0w5dg1qlLiAFWToYwgDOcUpLRjU/7bzGiGvp8
RwIDAQAB
-----END PUBLIC KEY-----

Application keys

The keys of the application can be found at the endpoint software overview when selecting an application and clicking on edit.

362
Figure 1. Private and public key of an application in agrirouter

Only the public key will be stored in the agrirouter, the private key has to be stored by your app in a secure way.

Endpoint certificate

The endpoint certificate is used to encrypt the communication with the agrirouter. It is delivered with the onboarding request.

{
    "deviceAlternateId": "6f1d952b-538e-4269-94b7-02bf51e83413",
    "capabilityAlternateId": "81ce3fd5-2f70-4270-ad15-1689ab6971bf",
    "sensorAlternateId": "aed40673-8e32-4f10-8cc8-3db2b58ed1bd",
    "connectionCriteria": {
        "gatewayId": "3",
        "measures": "https://dke-qa.eu1.cp.iot.sap/iot/gateway/rest/measures/6f1d952b-538e-4269-94b7-02bf51e83413",
        "commands": "https://dke-qa.eu1.cp.iot.sap/iot/gateway/rest/commands/6f1d952b-538e-4269-94b7-02bf51e83413"
    },
    "authentication": {
        "type": "PEM",
        "secret": "yY2uU1vV8aA1yY8uU1vV1cC",
        "certificate": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIE6zAdBgoqhkiG9w0BDA\nVD8E3qSEsvWS1Z93XPji\n-----END ENCRYPTED PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIOAIjM.....sV4DpbNKJlHut6OOOkzGCI+gsE=\n-----END CERTIFICATE-----\n"
    }
}

The certificate you receive during onboarding is valid for a certain period. This period is currently 10 years (up until July 2022, this period has been 1 year).

After that, you have to perform the re-onboarding.

Be aware that this will require user interaction.

If your are using MQTT Router Devices, you only have to renew the Router Devices' certificates centrally because the endpoints' certificates are not used in that case.