Hi,
We are designing a device authorization model for our IoT fleet using mTLS with Mender Gateway (Enterprise). We want to implement a two-level CA hierarchy:
Root CA (stored in HSM, long-lived)
└── Intermediate CA (couple of years validity)
└── Device Certificates (signed by Intermediate CA)
The goal is to:
- Keep the Root CA secure and rarely used (only to sign Intermediate CAs)
- Use the Intermediate CA to sign device certificates
- Enable Intermediate CA rotation without reconfiguring Mender Gateway
- Allow recovery from Intermediate CA compromise without full PKI rebuild
Our question:
Does Mender Gateway support validating a certificate chain where the device certificate is signed by an Intermediate CA, which is itself signed by the Root CA?
Specifically:
- If we configure MTLS_CA_CERTIFICATE with the Root CA, will Mender Gateway validate the full chain (Device cert → Intermediate CA → Root CA)?
- Or do we need to provide a CA bundle (concatenated Root CA + Intermediate CA certificates)?
- Is there any documentation on certificate chain validation for mTLS?
We reviewed the following documentation but couldn’t find explicit information about Intermediate CA support or certificate chain validation:
- Mutual TLS authentication | Mender documentation
- Certificates and keys | Mender documentation
- Device Authentication | Mender documentation
- Mender Server | Mender documentation
Thanks in advance for any guidance.
