0

I'm investigating using Azure IoT hub for communication between software clients and a backend. The software clients should act as devices in IoT hub parlance.

Is it possible to provision the software clients as devices with IoT Hub device provisioning service without each client having been given a unique identifier in a TPM module or a unique X.509 certificate?

I don't have a need for authenticating the clients before provisioning, I just want each client to be able to communicate securely with the IoT hub. After provisioning, the client must be uniquely identifiable. At that time, other clients should not be able to impersonate it.

At the moment, I believe that the client software needs to have an intermediate certificate embedded, which it can use to sign a certificate that it creates when it attempts to provision itself.

Are there other ways to let an IoT hub client-device provision itself without having been preprogrammed with a SAS, token, or other unique identifier?

RasmusW
  • 3,355
  • 3
  • 28
  • 46

2 Answers2

2

Use of an HSM is not required to use the Device Provisioning Service (source: I'm the PM for the service). If your clients already all have an intermediate certificate they can use to generate a leaf cert, and if all the intermediate certs for all your devices have a common signer, then you can create an enrollment group in the provisioning service using that common signing cert and allow all your devices to provision via that enrollment group.

The provisioning service doesn't care which entity is the ultimate root of trust for the certificates your device clients present, but you will have to go through a proof of possession step to show you have access to the private portion of the signing cert when using an enrollment group. By proving ownership of a signing cert in the chain (doesn't have to be the root, just one of the intermediates), you're proving that you have permission to generate leaf certificates for the devices that will be registering as a part of that enrollment group.

nberdy - MSFT
  • 96
  • 4
  • Thank your for the answer. I ended up making a C# tool that can create the CA chain of root and intermediates, as well a the verification cert and device certificates. I put it up at https://github.com/rwatjen/AzureIoTDPSCertificates. – RasmusW Apr 18 '18 at 05:24
0

I am afraid the answer is NO.

To connect Azure IoT Hub, the device(software client) need select either Secuity Keys(related to Tokens) or x509(certificate) as authentication method.

As for Device Provisioning Service, you need select x509 or TPM-based identity to provision device.

Device Provisioning Service is a helper service for IoT Hub that enables zero-touch, just-in-time provisioning to the right IoT hub without requiring human intervention, allowing customers to provision millions of devices in a secure and scalable manner.

Both X.509 certificates and SAS tokens can be stored in Hardware security module, so you don't have to preprogrammed with a SAS, token, or other unique identifier in your device client.

For software client, maybe you can use software-based TPM. But I am not sure your platform is software-based TPM supported. There is a software TPM supported on Windows 10 IoT core.

Rita Han
  • 9,574
  • 1
  • 11
  • 24
  • I was thinking that it wouldn't matter where the client's x509 certificate comes from. Wouldn't it work if it could create a cert that was signed with an intermediate cert, which in turn was signed by the Device Provisioning Service's root cert, – RasmusW Mar 21 '18 at 11:12