Skip to content

Import root certificate to IED Trust Store

The Industrial Edge Management (IEM) supports certificates signed by private Certificate Authorities (CAs). To establish a secure communication and a chain of trust, the private root certificate must be imported into the Industrial Edge Device's (IED) trust store.

During the onboarding process, this is handled automatically through the configuration file. However, if the root certificate changes after onboarding, it must be manually updated via the IED UI.

Certificate Chain

All intermedate certificates which are not included in the API gateway of the IEM have to be provided, in addition to the private root certificate, as part of a certificate chain.

Prepare the root certificate

To manually update the trust store, you need to prepare a JSON document that contains the root certificate for the Portal Endpoint and the Registry Endpoint (used in legacy IEM OS versions). Each chain must include the root certificate in PEM format and base64-encoded.

This JSON document can be manually prepared, or downloaded from the IEM:

  1. Log into the Industrial Edge Management

  2. In the Edge Management navigate to Edge Devices

  3. Select an Industrial Edge Device and navigate to Settings > Certificate

  4. Click on Download CA (JSON) to download the current certifcate chain of the IEM as a JSON document
    Download IEM CA Certificates

  1. Log into the Industrial Edge Management

  2. In the Edge Management navigate to Edge Devices

  3. Select an Industrial Edge Device

  4. Click on IEM CA Certificates to download the current certifcate chain of the IEM as a JSON document
    Download IEM CA Certificates

Create a JSON file with the following structure:

{
  "portal_chain": "<base64-encoded PEM certificate chain for portal endpoint>",
  "registry_chain": "<base64-encoded PEM certificate chain for registry endpoint>"
}

And provide the base64 encoded PEM certificates. To optain the base64-encoded certifcate the following command can used:

base64 -i <my-root-ca>.pem

Update the trust store of the IED

  1. Log into the Industrial Edge Device

  2. Navigate to Settings > System

  3. Select Import Certificates to IED Trust Store

  4. Browse and select the prepared JSON file

  5. Click Import
    This updates the IED’s private CA store, to trust the provided private root certificates
    Import Certificates to IED Trust Store

NOTICE

The public CA store of the IED will be updated during a firmware update of the device. For more information on certificate management refer to Certificates in Industrial Edge.