Certificate Overview

Certificate Profile

Arrowhead Framework's security is relying on SSL Certificate Trust Chains. The Arrowhead trust chain consists of three level:

Master certificate: arrowhead.eu
Cloud certificate: my-cloud.my-company.arrowhead.eu
Client certificate: my-client.my-cloud.my-company.arrowhead.eu The certificate naming convention have strict rules:

The different parts are delimited by dots, therefore parts are not allowed to contain any of them.
A single part is allowed to contain maximum 63 character of letters (english alphabet), numbers and dash (-), and has to start with a letter (also cannot ends with dash).
A cloud certificate name has to consist of four part and the last two part have to be 'arrowhead' and 'eu'.
A client certificate name has to consist of five part and the last two part have to be 'arrowhead' and 'eu'.

The trust chain is created by issuing the cloud certificate from the master certificate and the client certificate from the cloud certificate. With other words, the cloud certificate is signed by the master certificate's private key and the client certificate is signed by the cloud certificate's private key which makes the whole chain trustworthy.

The Key-Store

The Key-Store is intended to store the certificates and/or key-pair certificates. Key-pair certificates are contain the certificate chain with some additinal data, such as the private-public keys, which are necessary for the secure operation. Certificates located in this store (without the keys) will be attached to the outcoming HTTPS requests. Arrowhead Framework is designed for handling the p12 type of Key-Stores.

(Note: When you creating a new key-pair certificate, then the key-password and the key-store-password must be the same.)

The Trust-Store

The Trust-Store is containing those certificates, what the web-server considers as trusted ones. Arrowhead Framework is designed for handling the p12 type of Trust-Stores. Typically your Trust-Store should contain only the cloud certificate, which ensures that only those incoming HTTPS requests are authorized to access, which are having this certificate within their certificate chain.

System Operator Certificate

The System Operator Certificate is a special client certificate with the naming convention of sysop.my-cloud.my-company.arrowhead.eu. SysOp certificate allows the client to use the management endpoints of the Arrowhead Core Systems. Typical usage of SysOp certificate is by front end applications running in a web browser (for example if you want to access the Swagger or use the Management Tool in secure mode.

ABOUT

GETTING STARTED

Certificates

Quick start

How to contribute?

HINTS

MANDATORY CORE SYSTEMS

Service Registry

Orchestrator

Authorization

APPLICATION SYSTEMS

SUPPORTING CORE SYSTEMS

Gatekeeper

Gateway

Event Handler

Choreographer

Quality of Service Monitor

Certificate Authority

System Registry

Device Registry

Onboarding

Data Manager

Time Manager

Plant Description Engine

HawkBit Configuration Manager

HawkBit Configuration Manager - Overview

Device Hub

Device Hub - Overview

Certificate Overview

Certificate Profile

The Key-Store

The Trust-Store

System Operator Certificate

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!