Skip to content

Latest commit



114 lines (89 loc) · 3.44 KB

File metadata and controls

114 lines (89 loc) · 3.44 KB



  • Enhancements

    • Removed cfssl and replaces with x509. All certificate operations are done in erlang.
    • Added database for tracking all certificates that are signed by the CA.
    • Changed device certificate validity from 5 to 31 years.
  • Backwards incompatibilities

    • Removed endpoints
      • /certinfo - certificate information can be retreived from x509 directly.
      • /create_device_certificate - call /sign_device_csr instead
      • /create_user_certificate - call /sign_user_csr instead


  • Enhancements
    • Added /sign_user_csr for signing user certificate signing requests.
    • Added /sign_device_csr for signing device certificate signing requests.


The certificate structure has changed. Prior to this version, all certificates were signed off the main root certificate. This version will generate a root certificate and several intermediate root certificates for use with signing users, devices, servers, and ca clients.

                  |   Root CA    |
                /         |        \
 --------------    --------------    --------------
| Intermediate |  | Intermediate |  | Intermediate |
|   User CA    |  |  Device CA   |  |  Server CA   |
 --------------    --------------    --------------
       |                  |                 |        \
 --------------    --------------    --------------    ---------------
|     User     |  |    Device    |  |    Server    |  |   CA Client   |
|  Certificate |  |  Certificate |  |  Certificate |  |  Certificate  |
 --------------    --------------    --------------    ---------------
  • Enhancements

    • Added mix task for generating initial certificate structure.
    • Start CFSSL processes configured for each certificate type.
  • Certificate Expirations

    • Root CA: 30 years
    • Intermediate CA: 10 years
    • Server certificate: 1 year
    • User certificate: 1 year
    • Device certificate: 5 years


  • Enhancements
    • Added /health_check to router to return 200.

    • Removed setting the docker ENTRYPOINT in the image.

      This makes it easier to make a container for use in dev and test. You can bind mount a directory containing your cfssl configs and certificates.

      docker run --rm \
        --mount type=bind,src=`pwd`/test/fixtures/ssl,dst=/etc/cfssl \
        -p 8443:8443 \

      Running in production, you can set the entry point to sync the data. For example, from S3

      docker run --rm \
        --entrypoint=/app/ \
        -p 8443:8443 \


Initial Release.

nerves_hub_ca is released as a docker image and pushed to dockerhub. The ENTRYPOINT of the container is configured to execute an included script which will perform an aws s3 sync of the production certificates.

If you are using this image privately, you can either specify your own bucket / aws credentials when running the container:

docker run --rm --name nerves-hub-ca \
  -e "S3_BUCKET=my-bucket" \
  -e "AWS_DEFAULT_REGION=us-east-1" \
  -e "AWS_ACCESS_KEY_ID=12345" \
  -e "AWS_SECRET_ACCESS_KEY=67890" \
  -p 8443:8443 \

Or you can override the ENTRYPOINT by basing a new image off nerveshub/nerves_hub_ca:0.1.0

FROM nerveshub/nerves_hub_ca:0.1.0