mTLS is the default for new assets

Every new asset gets its own unique digital certificate at the point of creation. No shared passwords, no shared API keys — and if a certificate is ever compromised we revoke it within five minutes.

When you add a new asset on Pointnode today, the platform generates a fresh ECDSA P-256 key pair, signs the public key into a per-asset certificate, and reveals the cert + matching private key + CA bundle exactly once on the credentials page.

Three PEMs go onto the asset’s on-board router; the private key never touches our database. That cert is what authenticates the asset to our broker — no shared passwords, no API keys, no chance of a credential leak granting access to another asset on your fleet.

Why this matters

Per-asset isolation. A leaked certificate cannot impersonate any other asset on your fleet.
Fast revocation. If a certificate is ever compromised we revoke it immediately. The broker stops accepting publishes from it within five minutes via our certificate revocation list.
Audit-ready. Every issuance, renewal, and revocation lands on the platform audit log.

Customer assets currently use three-year certificates with a 90-day renewal banner — the right defence for an industrial asset is fast revocation, not annual reflashing. Internal Pointnode services rotate every 90 days on a daily cron. The full detail is on /security.