Which server CA to use for device fleet management?
(I likely didn't use correct keywords, but I was not able to have a complete info about below question).
Working on a IoT device, capable to connect to our own server, using MQTT and HTTPS connections, both utilizing TLS handshake. We want to make sure, that only our devices can connect to our server, the procedure we are thinking:
Each device will have its own public/private key pair, or better, certificate + associate private key, stored encrypted on the device (or on external EAL5+ certified chip, this is TBC). Certificate is to be signed by the server certificate (Q1) and will contain the device UUID, that will also be stored on the server's database. Client will share certificate with server + response to the challenge, and both will be checked by server if valid. This is how server will authenticate IoT device.
Each device must have server certificate, this is required for mutual authentication. We also want to authenticate server. Same certificate should also be used to verify new firmware update authenticity (digital signature).
As simple as it gets, we are wondering how to handle certificate updates, if this would ever be needed, due to potential data leak on the server (we are not worried on the client due to EAL5+ certified device).
Should each device store server's ROOTCA and rely that during TLS handshake, server will provide full chain (with ROOTCA as potential exception) of certificates, or do we need to store some intermediate certificates?
