IEM Certificate Overview¶
The Industrial Edge Management (IEM) runs a gateway that provides UI and API endpoints for device and user communication (via browser). To establish secure communication, a chain of trust must be configured. This usually involves updating the client's certificate store (whether on a PC, browser, or device) with the root certificate employed by the IEM.
To avoid manual steps of importing certificates and to simplify trust management, it is recommended to use IEM certificates signed by either:
- Public Certificate Authority (CA)
- Private Enterprise Certificate Authority (CA)
The exact details on how certificates are managed with the IEM varies, dependig on the offering as explained below:
NOTICE
For more information refer to Certificates in Industrial Edge.
Managing the Gateway Certificate of an IEM¶
With the IEM Pro the gateway deployment options are vast. But in the end it comes down to the question if the TLS traffic should be terminated at the gateway, or at an kubernetes Ingress. For both approaches a kubernetes secret containing the server certificate and private key should be created.
kubectl -n <namespace> create secret tls <kongcert> --cert=<certificate.crt> --key=<privatekey.key>
When setting up the TLS termination at the ingress this secret has to be provided to the ingress, as shown in the example in Terminating TLS through Ingress Controller. If the TLS should be terminated at the gateway, e.g. if no ingress is used or the ingress has TLS passthrough configured, the serect has to be provided to the gateway using the following parameters during install / upgrade:
--set kong.env.SSL_CERT=/etc/secrets/<kongcert>/tls.crt
--set kong.env.SSL_CERT_KEY=/etc/secrets/<kongcert>/tls.key
--set kong.secretVolumes.kong-proxy-tls=<kongcert>
NOTICE
Checkout IE Gateway and TLS Certificates for more information.
The server certificate and private key of the IEM Virutal will be set during the Provisioning of the IEM Virtual or during an certificate update in the Service and Maintenance UI.
Certificate Chain
In addition to the server certificate the IEM Virtual requires the full certificate chain consisting of root certificate (, intermediate certificates) and the IEM server certificate.
The IEM Cloud is offered as a fully managed service, provided by Siemens. As that the IEM Cloud is using public trusted certificates, that should be trusted by and client by default.
Managing the Certificate Trust Store of IEDs¶
As shown in IP protocols and ports a Industrial Edge Device (IED) has to establish a trusted connected to it's IEM using certificates. If the server certificate of the IEM is a public trusted certificate, the IED will establish a trusted connection to the IEM by default. For all other cases where a Private Enterprise CA is used, the root certificate will have to be imported into the IEDs local trust store, during the onboarding process. To avoid manually importing the root certificate to every IED and to simplify trust management, the root certificate of the IEM, has to be provided to the IEM.
Certificate Chain
All intermedate certificates which are not included in the API gateway of the IEM have to be provided, in addition to the private root certificate, as part of a certificate chain.
As explained it is mandatory to provide the root certificate of the IEMs server certificate to the IEM (In case of an private root certifcate). For an IEM Pro this can be done adding the following flag to the installation / upgrade command:
--set global.certChain="$(cat </path/to/rootCert.crt> | base64 -w 0)"
NOTICE
Checkout Import Private root certificate to IEM for more information.
As explained in Managing the IEMs Gateway Certificate the root certificate has be provided to the IEM Virtual as part of the full certificate chain consisting of root certificate (, intermediate certificates) and the IEM server certificate. This is be done at the Provisioning of the IEM Virtual or during an certificate update in the Service and Maintenance UI.
The IEM Cloud is offered as a fully managed service, provided by Siemens. As that the IEM Cloud is using public trusted certificates, that will be automatically trusted by the IEDs.
NOTICE
Checkout Establish trust from the IED to the IEM for more details on how the local trust store of an IED is managed after the initial onboarding.