In the case of devices that make use of limited hardware to store and manage certificates, the CA certificate can be downloaded directly from one of the following URLs.
AWS
Environment Type | Region | Certificate URL |
|---|---|---|
Sandbox | Europe (Ireland) | http://api.servitly-sandbox.com/ca.crt |
Production | Europe (Ireland) | http://api.servitly.com/ca.crt |
Production | Asia/Pacific (Hong Kong) | http://api-ap.servitly.com/ca.crt |
AZURE
Environment Type | Region | Certificate URL |
|---|---|---|
Develop | Europe (Frankfurt) | http://azapi.servitly-dev.com/ca.crt |
Staging | Europe (Frankfurt) | http://azapi.servitly-staging.com/ca.crt |
Production | Europe (Frankfurt) | http://azapi.servitly.com/ca.crt |
For more details on the types of environments, see this article.
SSL Certificates are based on a chain of three levels, including the root CA certificate that is generally embedded in the OS, and an intermediate CA certificate, and an end-entity certificate, both provided by a server. The Servitly end-entity certificate has a limited validity time, and it is periodically renewed (every three months), on the contrary, CA certificates may have a longer duration, up also to 15 years, but due to unpredictable causes, certificate authorities may decide to change the root chain with short notice, or Servitly may decide to use another CA at all, and if this happens certificates are renewed.
Note that, CA certificates MUST NOT BE STORED within the device without a way to update them by remote.
Consider the scenario where you have decided to hard code the CA certificate within the devices you sell. Now in the case the CA certificate has updated the connection to Servitly (MQTT, API, any other supported protocol) will not be possible, and the device will need a firmware update to keep working. If the device supports the Servitly built-in firmware updates feature (which is based on MQTT messages exchanged between the broker and the client) it will not be possible to perform any updates once the certificate is updated. To resolve this problem you must therefore proceed with the update by using an alternative way (USB, Wi-Fi, Bluetooth, others). Consider that your devices may be turned off at the time of the certificate change, so even a preventive remote update is not always possible. Moreover, if you’re planning to use a custom domain in the future, your firmware should also be able to handle the domain change in order to keep validating the hostname the device is connecting to. To cope with the certificate update, you can use one of the above URLs to download the up-to-date CA certificate, and this can be done when the device is power-up, a connection error occurs, or periodically.