One method to authenticate devices to the platform is certificate-based authentication. But to enhance security, a growing number of standards and best practise guides are encouraging device manufacturers to issue certificates for their devices with short validity periods - one year or less. This creates two issues:
During the period that devices are connected, their certificates can expire, meaning that they are no longer trusted by Cumulocity.
Some devices may only become connected to Cumulocity some time after they are manufactured or arrive in the field, and by that time, the certificate may have expired.
In case 1, it would be helpful if Cumulocity could be used (e.g. by issuing an operation) to push updated certificates to devices. Updated certificates would have to be pulled from an issuing CA, or generated and signed by the platform using a key provided for the purpose.
In case 2, we require a workflow similar to the existing Device Registration workflow, whereby a device can connect and present an out-of-date certificate, and by manual exception, an authorised user can issue a replacement.