How to generate and use the mTLS keys and cert? about fleet-telemetry HOT 15 CLOSED

You cannot self-sign the fleet-telemetry certificate, I tried, the /api/1/vehicles/fleet_telemetry_config API endpoint will reject it. The server will start, but you wont be able to configure a vehicle to use it.

I'll try break all the crypto down for you:

1. ECDSA Private Key
2. ECDSA Public Key hosted at /.well-known/appspecific/com.tesla.3p.public-key.pem, created using (1)
3. CSR created from (1)
4. Certificate signed by Tesla, created from (3)

Fleet Telemetry uses (1) and (4) in the TLS config. Vehicle Command Proxy uses (1) only in -key-file parameter.

Then, completely seperate:

• Vehicle Command Proxy SSL Key
• Vehicle Command Proxy SSL Cert
  These are only used for the command proxy web server and should not be the same as (1) or (4)

from fleet-telemetry.

To generate your mTLS private key which is used for both vehicle-command signing and fleet-telemetry mTLS, see https://developer.tesla.com/docs/fleet-api#fleet-telemetry

openssl req -out partner_domain.com.csr -key private_key.pem -subj /CN=partner_domain.com/ -new

As I understand, that command generates a CSR using an existing private key (which must be the private key used for command signing, as per the instructions). It does not generate a private key.

I ran that command, passing my existing command-signing private key eg -key ../my-keys/com.tesla.3p.key.pem and it created the .csr file, which I've emailed to Tesla.

from fleet-telemetry.

Also, what is the purpose of the Certificate Signing Request (CSR) that we send to [email protected] per these instructions?

Does that cause something to change on the Tesla backend or vehicles?

Does Tesla reply with a certificate, signed by them? If so, how do we make use of this certificate?

from fleet-telemetry.

There are two different things your talking about here:

The first thing you were talking about is for the vehicle-command HTTPS server, not fleet-telemetry or mTLS. You can completely disregard that when talking about Fleet Telemetry, its literally just a webserver key and cert and has zero relationship to the mTLS.

To generate your mTLS private key which is used for both vehicle-command signing and fleet-telemetry mTLS, see https://developer.tesla.com/docs/fleet-api#fleet-telemetry

openssl req -out partner_domain.com.csr -key private_key.pem -subj /CN=partner_domain.com/ -new

Then you use that key to create a CSR, email that to tesla, and they then return you a certificate to use with fleet-telemetry.

I have been waiting 3 weeks to get a reply with my certificate though.

So at the end of the day you need:
Vehicle Command Proxy web certificate pair - Just a regular HTTPS cert and key from letsencrypt or digicert or openssh.
Vehicle Command signing key and Fleet Telemetry mTLS key pair - use to authenticate with vehicles

from fleet-telemetry.

Yeah correct, I didnt read it close enough before copy pasting. Now you wait for Tesla.

When you get the certificate back, you can start a Fleet Telemetry server by setting the key and certificate in the tls section of the Fleet Telemetry server config.

from fleet-telemetry.

I notice outstanding PR #88, which adds a bit more info regarding the keys:

You may generate a self-signed certificate using the OpenSSL command below, though we recommend using best practices for generating a server certificate from a trusted certificate authority (have your domain/CNAME ready)
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

But it doesn't mention the CSR we send to Tesla. Perhaps the self-signed approach is an alternative to the CSR, for non-production use?

It may largely be my ignorance, but I'm having trouble grasping the overall picture of how it all fits together, which key is used where etc. I'd be happy to submit PRs to improve the READMEs but I currently don't understand enough :(

from fleet-telemetry.

How do you send the CSR to Tesla? I tried to send through register endpoint but I am getting Internal server Error. Do we email CSR to Tesla? If yes what is the email address?

{
"response": null,
"error": "An unexpected error occurred - 0630a97bd01d81c0798bc7bac2d9eea3",
"error_description": ""
}

from fleet-telemetry.

If yes what is the email address?

[email protected]

The process is all in the documentation.

from fleet-telemetry.

We sent a revised CSR that passes the check_csr.sh script to [email protected] about 3 weeks ago (2/10), but haven't heard anything back. I also submitted the same CSR to the register endpoint as there was some indication that was an alternative route to register.

I am still getting an error that I don't have a CSR every time I call the fleet_telemetry_config endpoint for our vehicles, so I interpret that to mean we haven't been issued a certificate yet.

Does anyone know if there is a way to get an update on the progress of approval? It would just be helpful to know if we are held up because of use-case, an incorrect request, or just process delay.

from fleet-telemetry.

In the helpful guide written by @patrickdemers6, it suggests using certbot and LetsEncrypt (or equivalent) to generate a Certificate and CA Bundle for use with TLS.

• does this mean the TLS certificate must be signed by a public CA, and not with our own private key?
• if so, what is the purpose of sending a CSR to Tesla? What does Tesla do with it?

from fleet-telemetry.

• does this mean the TLS certificate must be signed by a public CA, and not with our own private key?

No, mine is signed by my own CA based on the private key used to create the CSR.

• if so, what is the purpose of sending a CSR to Tesla? What does Tesla do with it?

I think it's because you could certify the vehicle cert using your private key, but this also confused me because I though running your own CA was required.

In fact, all three of my Fleet Telemetry servers have their own private key and cert, but all signed by a CA that uses my private key, which is the CA that gets sent to vehicles.

from fleet-telemetry.

When I access this interface,https://fleet-api.prd.cn.vn.cloud.tesla.cn/api/1/vehicles/fleet_telemetry_config. The interface returns...

{"response":null,"error":"upstream internal error","error_description":""}. What could be the reasons for this return

Furthermore，What should be filled in for this parameter（config.ca） in this interface?

from fleet-telemetry.

When I access this interface,https://fleet-api.prd.cn.vn.cloud.tesla.cn/api/1/vehicles/fleet_telemetry_config. The interface returns...

{"response":null,"error":"upstream internal error","error_description":""}. What could be the reasons for this return

Furthermore，What should be filled in for this parameter（config.ca） in this interface?

fleet_telemetry isn't supported in China yet

from fleet-telemetry.

When I access this interface,https://fleet-api.prd.cn.vn.cloud.tesla.cn/api/1/vehicles/fleet_telemetry_config. The interface returns...
{"response":null,"error":"upstream internal error","error_description":""}. What could be the reasons for this return
Furthermore，What should be filled in for this parameter（config.ca） in this interface?

fleet_telemetry isn't supported in China yet

Are you sure? Previously, when I submitted this interface, it showed success. it returns {"response":{"updated_vehicles":1}}

The error occurred now because I am changing the domain name and re-submitting.

from fleet-telemetry.

Docs have been updated to make all this stuff clearer.

from fleet-telemetry.