Client to Client communication using X509

Question

I'm creating a coap server with DTLS as security layer that will use digital certificates, x509. The Coap Server is a data bridge to a cloud server (CA) that uses x509 as authentication. I also have a device that directly connects to the Cloud server using the same authentication method. A couple of functions of the device, also needs to communicate with Coap server.

Thus the cloud server is the CA for issuing digital certificates both the device and the Coap data bridge.

I wanted to reuse the certificates (used to communicate to the Cloud Server) in device for connecting to the Coap server. Since the the device is a constraint thing, having multiple certificates are not advisable. Is this possible?

Answer 1

Yes, but there are some pitfalls:

RFC7252 - DTLS - x509

Implementations in Certificate Mode MUST support the mandatory-to- implement cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 as specified in [RFC7251], [RFC5246], and [RFC4492]. Namely, the certificate includes a SubjectPublicKeyInfo that indicates an algorithm of id-ecPublicKey with namedCurves secp256r1 [RFC5480]; the public key format is uncompressed [RFC5480]; the hash algorithm is SHA-256; if included, the key usage extension indicates digitalSignature. Certificates MUST be signed with ECDSA using secp256r1, and the signature MUST use SHA-256.

So, you either use ECDSA (ECC certificates, not RSA), or you need to check, if your server is able to handle it. For Eclipse/Californium the node's certificate must be ECDSA, the other certificates in the path may use other algorithms, if they are supported on your platform.

By the way, I'm not sure, if you really benefit from x509, but that depends on the platform your using on your devices.

Answer 2

X509 certificate and key could be used for several purposes. Examples include,

1. digital signature
2. key enciphering purposes
3. data enciphering purposes
4. key agreement
5. so on and so forth

More details could be found here

Now, as per to the description of your problem, you are inquiring whether to use the same certificate/key pairs for both to

• Authenticate against the cloud server
• Use it for communication ( Encipher/Decipher) purposes with the COAP server

Ofcourse you can use it as long as the (KeyUsage) extension specifies the intended use of the certificate. Refer link above for KeyUsage extensions in X509 certificates