Product/components used and version/fix level:
Detailed explanation of the problem:
Trusted certifcate is expired how to renew the certificate. please provide the esay and quick steps to fix soon.
If you’re using a self-signed certificate (e.g. one created via c8y cert create), then you can renew it using the following.
Assuming you’re using thin-edge.io >= 1.0.0, then use can use the tedge cert renew command:
tedge cert renew
tedge cert upload c8y --user myuser@example.com
tedge reconnect c8y
The above commands do the following:
- Regenerate the local device certificate (reusing the Common Name in the existing expired certificate)
- Uploads the local device certificate to Cumulocity IoT as a Trusted Certificate (your user will required the “Tenant Manager” role, otherwise you will get a 403 error.
- Proactively restarts the required thin-edge.io components (including mosquitto)…technically speaking you could probably just restart mosquitto, though it won’t proactively test your device new certificate.
Afterwards, you can delete the expired certificate from the Trusted Certificates section in Cumulocity IoT.
In production, it is still advised to use a PKI (Public Key Infrastructure) to issue certificates, and to have a local service which proactively checks the local device certificate expiration, and renews it via your PKI.
2 Likes
Is there is any other ways. the above comment throws error “Failed to renew self signed certificate”
Can you please provide the full output as that would provide more context on the error (please use a code block to post the response).
But at a guess maybe you need to run it using sudo, for example, if you have sudo on your system (usually installed by default on most Linux OS’s, then you can add sudo to each of the above commands to give you the correct permissions:
sudo tedge cert renew
sudo tedge cert upload c8y --user myuser@example.com
sudo tedge reconnect c8y
When I renew the certificate, both the old and recent versions show up in the trusted certificate list. Is that okay? Will it still work?
With self-signed certificates, the certificate always has to be uploaded to Cumulocity IoT, so it always adds a certificate (it never replacing the existing certificate). But this is ok. Just delete the expired certificate from Cumulocity IoT using the UI.
In production, generally you will want to use a PKI (Public Key Infrastructure) to issue device certificates. In that case, the individual certificates don’t need to be uploaded to Cumulocity IoT, only the intermediate certificate needs to be added to Cumulocity IoT…but PKIs can be a bit overwhelming if you haven’t previously worked with them and don’t know all of the certificate terminology etc. (though there are plenty of information online about PKIs and certificates etc).