When I have, say, 20 devices all talking to this database, they all need
their own certificates correct? (As using one certificate for all is bad
for security).
Correct. You could put the same certificate on every client, but if one
client gets compromised and you need to revoke that certificate, you then have
to create and install a new one on all the other 19 (as well as sorting out
whatever happened to the 20th).
Does this mean I need to register 20 certificates with Influx?
No. (Well, not if Influx works the same as every other TLS-capable
applications I’ve ever come across - I’ve not actually done secure remote
connectivity to Influx myself.)
Influx just needs the CA certificate.
I started reading about CA certs and this seems to be what I am after, but
I cant quite make sense of it. A brief explanation would be a godsend.
When you start creating certificates, the first thing you do is to create a CA
certificate, and you then use that to sign all your client certificates that you
create afterwards (note - be sure to create the CA certificate with a longer
expiry date than the client certificates, so that you still have a valid CA
certificate to sign the renewed client certificates with when the time comes).
Anything (in this case Influx) which then wants to validate any of those client
certificates can then do it in one of two ways:
a) make sure it’s a trusted certificate, but knowing what that certificate
should be. This means knowing about every individual client certificate.
b) make sure the certificate is signed by a trusted CA (in this case, your
own). This means knowing about the CA, but not about every individual client.
So, essentially you configure Influx to trust any client which presents a
certificate which is signed by your CA, without caring about the details of
that client.
If one client gets compromised, you can then put its certificate onto a CRL
(Certificate Revokation List), and Influx will continue to trust anything else
signed by your CA, but not that one.
I’ll leave it to someone else who has already done this with Influx to explain
where the specifics of such a configuration need to be set up, but I hope that
helps you understand the “chain of trust” a bit better.
Antony.