Certificates and keys

Definitions

Within this document, there are several public or private keys mentioned that are relevant for the agrirouter. The following table shall give an overview of the different Keys/Certificates and their usage:

Name	Description	Usage
agrirouter public key	A certificate to prove the identity of the agrirouter. Only the public key is available to developers	Verify the signature in the authentication process
Application Key Pair	The key pair that can be provided to or created by the agrirouter when creating a new software.	Create the signature for the onboarding Process
Endpoint Certificate	The certificate of an endpoint, used for the encrypted communication with the agrirouter	Standard communication in REST or MQTT; "Everything after onboarding"

Name

Description

Usage

agrirouter public key

A certificate to prove the identity of the agrirouter. Only the public key is available to developers

Verify the signature in the authentication process

Application Key Pair

The key pair that can be provided to or created by the agrirouter when creating a new software.

Create the signature for the onboarding Process

Endpoint Certificate

The certificate of an endpoint, used for the encrypted communication with the agrirouter

Standard communication in REST or MQTT; "Everything after onboarding"

agrirouter public keys

These are the public keys used by the agrirouter. These are required for example to verify redirect messages from agrirouter in the authorization process.

Area Environment Public Key

Area	Environment	Public Key
EU	agrirouter 2.0 QA	`-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw4DStz1cikiCqTd70p9i RBBx4vdTEtZAaWtvswu/IdMNoXP30+1ExVc3oJ0wHn3DMWItMLtn0gUSjj+XzDN5 yrmwUSS6qqyAFinLBUio88EyEQAocZo270bDk9gSndftIvvQ82Iu6p4gRg1zbPNF CoBdLCQx7MN2zbl+/kmuZXzeEXZwAT94O8IbbTTAz9Wy5MUrAlJwNVaZir9bY6AZ CvgUPNRL2Jq9yz8IeoawhLNOo6ae47Jcf88x+7t/eN8QSrGu50WD1qpZbTReH7FA ju9qUVOmP1P9rSYkuhrkWg16Qrw1t8hEqMiRDNYUUTkqEit+H1CNEBgr6t3RIC5t fQIDAQAB -----END PUBLIC KEY-----`
EU	Quality Assurance "QA"	`-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8xF9661acn+iS+QS+9Y 3HvTfUVcismzbuvxHgHA7YeoOUFxyj3lkaTnXm7hzQe4wDEDgwpJSGAzxIIYSUXe 8EsWLorg5O0tRexx5SP3+kj1i83DATBJCXP7k+bAF4u2FVJphC1m2BfLxelGLjzx VAS/v6+EwvYaT1AI9FFqW/a2o92IsVPOh9oM9eds3lBOAbH/8XrmVIeHofw+XbTH 1/7MLD6IE2+HbEeY0F96nioXArdQWXcjUQsTch+p0p9eqh23Ak4ef5oGcZhNd4yp Y8M6ppvIMiXkgWSPJevCJjhxRJRmndY+ajYGx7CLePx7wNvxXWtkng3yh+7WiZ/Y qwIDAQAB -----END PUBLIC KEY-----`
EU	Production	`-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCxD31sYtzH9NTfZ6n8H +H/QgOaoTL9GAakplAsdwYSLjBpgYMZOHIgkdM9ksRP8WsITChtZtxrCnBjR8bap ekPT/pM9zPZlNEPxUlylJNwwTWjzTJP03+Yr07Q8v8fTJ5VWzAHlHtGQ/sI7yXA8 pzruTNre1MzxO3lkljt2Q2e7CVXAp1b53BghgysppL9Bl7NK1R+vdWSs0B1Db/Gj alOkWUnhivTjRMX61RGDCQSVSEaX12EvJX7FooAsW3NFeZCgeZGWEa5ZMALIiBL4 GNASOOHju7ewlYjkyGIRxxAoc3C0w5dg1qlLiAFWToYwgDOcUpLRjU/7bzGiGvp8 RwIDAQAB -----END PUBLIC KEY-----`

agrirouter 2.0 QA

Quality Assurance "QA"

Production

Application keys

The keys of the application can be found at the endpoint software overview when selecting an application and clicking on edit.

Figure 1. Private and public key of an application in agrirouter

Only the public key will be stored in the agrirouter, the private key has to be stored by your app in a secure way.

Endpoint certificate

The endpoint certificate is used to encrypt the communication with the agrirouter. It is delivered with the onboarding request.

{
    "deviceAlternateId": "6f1d952b-538e-4269-94b7-02bf51e83413",
    "capabilityAlternateId": "81ce3fd5-2f70-4270-ad15-1689ab6971bf",
    "sensorAlternateId": "aed40673-8e32-4f10-8cc8-3db2b58ed1bd",
    "connectionCriteria": {
        "gatewayId": "3",
        "measures": "https://dke-qa.eu1.cp.iot.sap/iot/gateway/rest/measures/6f1d952b-538e-4269-94b7-02bf51e83413",
        "commands": "https://dke-qa.eu1.cp.iot.sap/iot/gateway/rest/commands/6f1d952b-538e-4269-94b7-02bf51e83413"
    },
    "authentication": {
        "type": "PEM",
        "secret": "yY2uU1vV8aA1yY8uU1vV1cC",
        "certificate": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIE6zAdBgoqhkiG9w0BDA\nVD8E3qSEsvWS1Z93XPji\n-----END ENCRYPTED PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIOAIjM.....sV4DpbNKJlHut6OOOkzGCI+gsE=\n-----END CERTIFICATE-----\n"
    }
}

The certificate you receive during onboarding is valid for a certain period. This period is currently 10 years (up until July 2022, this period has been 1 year).

After that, you have to perform the re-onboarding.

Be aware that this will require user interaction.

If your are using MQTT Router Devices, you only have to renew the Router Devices' certificates centrally because the endpoints' certificates are not used in that case.