X.509 Certificates

X.509 is an ITU standard defining the format of public key certificates. Peridio leverages this standard for authenticating device certificates via mutual TLS and just-in-time provisioning devices based on the signing CA certificate.

Overview

X.509 certificates form the backbone of Peridio's security model, providing:

Strong cryptographic device identity
Mutual authentication between devices and cloud
Chain of trust validation
Non-repudiation of device actions

Certificate Components

Private and Public Keys

Every X.509 certificate contains a public key derived from a private key. Together, they form an asymmetric key pair used for:

Authentication - Proving identity
Encryption - Securing communications
Digital signatures - Ensuring integrity

Key Algorithms

Peridio supports multiple public key algorithms:

ECDSA (Recommended)

Smaller key sizes with equivalent security
Better performance on embedded devices
P-256, P-384, P-521 curves supported

RSA

Wide compatibility
2048-bit minimum, 4096-bit recommended
Higher computational overhead

EdDSA

Modern, efficient algorithm
Ed25519 curve support
Excellent performance characteristics

Certificate Types

Root Certificate Authority

A root CA is a self-signed certificate that:

Sits at the top of the trust chain
Signs intermediate CAs
Should be stored offline in production

Intermediate Certificate Authority

An intermediate CA:

Is signed by a root or another intermediate CA
Signs end-entity certificates
Provides operational flexibility

End-Entity Certificate

An end-entity certificate:

Is signed by a CA (root or intermediate)
Cannot sign other certificates
Used by devices for authentication

Certificate Structure

Distinguished Name (DN)

Identifies the certificate subject:

CN=device-123456              # Common Name
O=Example Corp                # Organization  
OU=Manufacturing             # Organizational Unit
C=US                         # Country
ST=California                # State
L=San Francisco              # Locality

Extensions

X.509v3 extensions provide additional functionality:

Key Usage - Defines permitted operations
Extended Key Usage - Specific application purposes
Subject Alternative Name - Additional identities
Basic Constraints - CA capabilities

Validity Period

Not Before - Activation timestamp
Not After - Expiration timestamp
Plan rotation before expiration

Working with Certificates

Generating Keys

ECDSA Key

openssl ecparam -genkey -name prime256v1 -out key.pem

RSA Key

openssl genrsa -out key.pem 4096

Creating Certificates

Certificate Signing Request

openssl req -new \
  -key key.pem \
  -out csr.pem \
  -subj "/CN=device-123/O=Example Corp"

Self-Signed Certificate

openssl req -x509 \
  -key key.pem \
  -out cert.pem \
  -days 365 \
  -subj "/CN=root-ca/O=Example Corp"

Inspecting Certificates

View Certificate Details

openssl x509 -in cert.pem -text -noout

Verify Certificate Chain

openssl verify -CAfile ca.pem cert.pem

Check Key Pair Match

openssl x509 -modulus -in cert.pem | openssl md5
openssl rsa -modulus -in key.pem | openssl md5

Certificate Chains

Chain Building

Certificates form chains from end-entity to root:

Device Certificate
    ↓ (signed by)
Intermediate CA
    ↓ (signed by)
Root CA (self-signed)

Chain Validation

Peridio validates:

Each signature in the chain
Certificate validity periods
Certificate constraints and extensions
Revocation status (if configured)

Security Best Practices

Key Protection

Store private keys securely (HSM/TPM preferred)
Never transmit private keys over network
Use strong key generation entropy
Implement key rotation strategies

Certificate Management

Monitor expiration dates proactively
Maintain certificate inventory
Document certificate purposes
Plan for emergency rotation

Operational Security

Separate CAs for production/development
Limit CA certificate lifetime
Use intermediate CAs for signing
Implement certificate pinning where appropriate

Common Operations

Convert Formats

PEM to DER

openssl x509 -in cert.pem -outform DER -out cert.der

DER to PEM

openssl x509 -in cert.der -inform DER -out cert.pem

Extract Information

Public Key

openssl x509 -in cert.pem -pubkey -noout

Subject

openssl x509 -in cert.pem -subject -noout

Fingerprint

openssl x509 -in cert.pem -fingerprint -sha256 -noout

Troubleshooting

Certificate Errors

Expired certificate - Check validity dates
Untrusted certificate - Verify CA is registered
Signature verification failed - Check certificate integrity
Wrong key usage - Verify certificate extensions

Chain Issues

Incomplete chain - Include all intermediate certificates
Wrong order - Order from end-entity to root
Missing CA - Ensure CA is uploaded to Peridio

Integration with Peridio

Device Authentication

Device presents certificate during TLS handshake
Peridio validates against registered CAs
Mutual TLS session established
Device authorized for operations

JITP Flow

Unknown device connects with valid certificate
Certificate chain validated against CA
Device automatically provisioned
Ready for management

Overview​

Certificate Components​

Private and Public Keys​

Key Algorithms​

ECDSA (Recommended)​

RSA​

EdDSA​

Certificate Types​

Root Certificate Authority​

Intermediate Certificate Authority​

End-Entity Certificate​

Certificate Structure​

Distinguished Name (DN)​

Extensions​

Validity Period​

Working with Certificates​

Generating Keys​

ECDSA Key​

RSA Key​

Creating Certificates​

Certificate Signing Request​

Self-Signed Certificate​

Inspecting Certificates​

View Certificate Details​

Verify Certificate Chain​

Check Key Pair Match​

Certificate Chains​

Chain Building​

Chain Validation​

Security Best Practices​

Key Protection​

Certificate Management​

Operational Security​

Common Operations​

Convert Formats​

PEM to DER​

DER to PEM​

Extract Information​

Public Key​

Subject​

Fingerprint​

Troubleshooting​

Certificate Errors​

Chain Issues​

Integration with Peridio​

Device Authentication​

JITP Flow​

Related Topics​