Onboard a generic IoT device with certificates

In this topic, you will learn how to onboard generic IoT devices using certificates to a network managed by Portnox™ Cloud.

These generic instructions apply in the following scenario:

  • You have an IoT device that you want to connect to your Wi-Fi or wired network managed by Portnox Cloud. This could be a printer, a scanner, a camera, or any other similar device.
  • The IoT device supports certificate-based 802.1X (RADIUS) network authentication (EAP-TLS).
  • The IoT device’s web interface lets you upload a certificate with a private key in one of the standard formats such as PKCS#12.
  • The IoT device does not support SCEP, and therefore cannot request the certificate directly.

To make it possible for you to request certificates for your IoT devices and then upload these certificates to the IoT devices, you must first do the following:

  • Make individual accounts in your authentication repository (for example, Microsoft Azure/Entra ID or Google Workspace) for your IoT devices, or create a single account that represents a group of IoT devices. For instance, you can create accounts like camera957@vorlon.com and camera958@vorlon.com, or you can opt for accounts like cameras@vorlon.com or printers@vorlon.com. If you create individual accounts, you’ll have more control over the devices, but it means more effort to request all the certificates.

  • Generate temporary passwords for these accounts and enable the option in your authentication repository that allows you to log in using these accounts as a user. This is a temporary step, only required for requesting the certificates.

  • For each account you’ve created, follow the steps below to request the certificates, and follow the instructions provided by your IoT device manufacturer for uploading and configuring authentication certificates in the device.

  • Once you’ve requested, uploaded, and tested the certificate for a specific device or group of devices, disable user login for that account to enhance its security. No one will be able to log in as the IoT device, but the certificate will still permit the device to access the network, and it will be recognized using the account you created.

Generate the user certificate for the IoT device

In this section, you will generate the certificate for the IoT device using the self-onboarding portal, and download it to your Windows computer.

Important: In the following steps, log in using the user account that you created for the IoT device or group of devices, not your own user account.
  1. Enter the URL of the self-onboarding portal in your browser.

    To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.

  2. In Step 1, select the third option: CLEAR account certificate management and click on the Next button.

  3. In Step 2, you can select the Corporate email address option or the Corporate username and password option. Select the Corporate email address option if Portnox Cloud manages your user repository. Select the Corporate username and password option if you have integrated Cloud with an external repository. Proceed with the following steps depending on your choice.
  4. If you have chosen Corporate email address:
    Important: Only choose the Corporate email address option if Portnox Cloud manages your user repository. Cloud manages the user repository if it’s not integrated with any external repositories such as Microsoft Azure (Entra ID), Google Workspace, or Okta Workforce Identity.
    1. In the Email field, enter your corporate email address and click on the SIGN IN button.

      If you activate the Automatically generate secure password and send me by email checkbox, you will receive a separate email with a Portnox Cloud password. If so, you should use this password in the next steps.

    2. Open your email client and find the email received from Portnox Cloud containing a one-time activation code. Copy this code to the clipboard.

      If you activated the Automatically generate secure password and send me by email checkbox in the previous step, do not confuse the password email with the code email. They are two separate emails.

    3. In the self-onboarding portal, paste the code in the Activation code field and click on the CONFIRM button.

  5. If you have chosen Corporate username and password:
    1. Click on the tile that represents the authentication repository you want to use to sign in. If you want to use Okta Workforce Identity, enter your Okta login and password and click on the SIGN IN button.

      Note: Options depend on the repositories integrated with Portnox Cloud: Microsoft Azure (Entra ID), Google Workspace, and/or Okta Workforce Identity.
    2. Complete the steps needed to sign in. These steps depend on the chosen authentication repository.
  6. Click on the OBTAIN CERTIFICATE button to download the user certificate generated for your device.

    Note: If you want to replace a certificate you created earlier, for example, because the old one expires soon, click on the REISSUE CERTIFICATE button instead.

Optional: Add a password to the certificate’s private key

In this section, you will temporarily import the downloaded certificate and then export it again, adding a password to the private key.

By default, private keys generated by Portnox Cloud and included with certificates have empty passwords. However, some IoT devices do not accept an empty password for the private key, so you need to add a password to the private key to use the certificate with your IoT device. Only follow the instructions in this section if you found out that you cannot upload the certificate’s private key to the IoT device because it has an empty password.

  1. Import the downloaded certificate.
    1. Double-click on the downloaded certificate file to temporarily install the certificate in your Windows certificate store.

      To export the private key from the certificate, you must first install it, marking the private key as exportable. You cannot export the private key directly from the downloaded certificate without installing it.

    2. In the first step of the Certificate Import Wizard, click on the Next button.

      In this step, you select the user certificate store by default. Note that you will delete the certificate after you add the password to the private key, so the selected certificate store is not important.

    3. In the second step of the Certificate Import Wizard, click on the Next button.

    4. In the third step of the Certificate Import Wizard, leave the Password field empty, activate the Mark this key as exportable checkbox, and then click on the Next button.

      You must leave the password field empty because private keys included with Portnox Cloud certificates by default have empty passwords.

    5. In the fourth step of the Certificate Import Wizard, click on the Next button.

    6. In the fifth and final step of the Certificate Import Wizard, click on the Finish button.

  2. Export the certificate and the private key, adding a password to the private key.
    1. Open the Windows Certificate Manager by typing manage user certificates in the Windows search bar and clicking on the Manage user certificates icon.

    2. In the certmgr window, go to the Personal > Certificates folder and double-click on the certificate that you just imported.

    3. In the Certificate window, go to the Details tab, and click on the Copy to File button.

    4. In the first step of the Certificate Export Wizard, click on the Next button.

    5. In the second step of the Certificate Export Wizard, select the Yes, export the private key option, and then click on the Next button.

    6. In the third step of the Certificate Export Wizard, click on the Next button.

    7. In the fourth step of the Certificate Export Wizard, activate the Password checkbox and enter a password in the Password and Confirm password fields. Then, click on the Next button.

      You will use this password later when configuring the device.

    8. In the fifth step of the Certificate Export Wizard, specify the file name to save the exported certificate and private key. Then, click on the Next button.

      You can replace the previously imported file. The .pfx and .p12 extensions represent the same file format.

    9. In the last step of the Certificate Export Wizard, click on the Finish button.

  3. Delete the temporarily imported certificate from your certificate store.
    1. Select the certificate in your certificate store.

    2. Press the Delete key on your keyboard to delete the certificate and then click on the Yes button in the confirmation window.

Optional: Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal so that you can upload it to the IoT device.

Some IoT devices ask you to upload a root CA certificate when configuring 802.1X connections. This is necessary so that the IoT device can verify the authenticity of cloud RADIUS servers, which have certificates signed by this root CA certificate. Only do the steps in this section if your IoT device requires a root CA certificate.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR RADIUS SERVICE heading.

    The active servers appear under the CLEAR RADIUS SERVICE heading and description along with advanced options.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.

  5. Upload the root CA certificate to your IoT device.

    Follow the instructions from the IoT device’s manufacturer.