1

How to settle (Self-signed) CA certificates and Client certificates and Username/password on a Self-signed device connection?

I am working with an MQTT Python client and I want to settle up Device Self-signed certificate option. I have been able to connect with a SAS Device Settle and now I don't know what I need for it.

W.

When i worked with SAS token I had the azure Digicert CA and then on the Device key and cert set as None.

Now I am using the same azure baltimore Root certificate provided by them (Digicert) and with OPENssl i created the Client key and crt from where I toke the thumbprint is that correct?

I created them with openssl and had .crt and .key so i passed them into .pem.

So could it be because of the format of the client keys or what should I give as certificates?

As the password and username what I have as password should be None now or maybe the thumbprint, since i have no SAS token key.So what should I fit in there? 

from paho.mqtt import client as mqtt
import ssl
import time

Data = {"Temp":44,"Pressure":55,"Power":66}
path_to_root_cert = "C:/Users/../digicert.cer"
device_cert = "C:/Users//../m2mqtt_ca.cer"
device_key = "C:/Users//../m2mqtt_ca.key"

device_id = "x509Device"
sas_token = "SharedAccessSignature sr=...."

SAS Created with Device explorer twin

iot_hub_name = "Iothubdev"

def on_connect(client, userdata, flags, rc):
    if rc==0:
        client.connecte_flag = True
        print ("Connected OK \n Device connected with result code: " + str(rc))
    else:
        print("Bad connection returned code=", str(rc))
        client.bad_connection_flag = True
        logging.info("Disconnecting reason:" + str(rc))

def on_disconnect(client, userdata, rc):
  print ("Device disconnected with result code: " + str(rc))

def on_publish(client, userdata, mid):
  print ("Device sent message")

client = mqtt.Client(client_id=device_id, protocol=mqtt.MQTTv311)

client.on_connect = on_connect
client.on_disconnect = on_disconnect
client.on_publish = on_publish

client.username_pw_set(username=iot_hub_name+".azure-devices.net/" + device_id, password=None)

client.tls_set(ca_certs=path_to_root_cert, certfile=device_cert, keyfile=device_key, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
client.tls_insecure_set(False)

try:
    client.connect(iot_hub_name+".azure-devices.net", port=8883) #Connect to Broker
except:
    print("Connection Failed")

#client.connect(iot_hub_name+".azure-devices.net", port=8883) #Connect to Broker

client.publish("devices/" + device_id + "/messages/events/", str(Data), qos=1)
client.loop_forever()
#time.sleep(2)
#client.disconnect()

> Azure IoT Hub Certificate in here says use Baltimore certificate as CA

Client crt

Client key

But is not working for me right now

MarcoPolo11
  • 81
  • 1
  • 1
  • 11
  • Please check the host name of you IoT Hub. I think it shoud be `*.azure-devices.net`. You can try to use X.509 CA Signed device to test this issue. – Michael Xu Jul 18 '18 at 09:47
  • Oops, hahah Actually I changed it because i thought it was specially from my azure acc which i wouldnt like to share XD @Michael Xu -MSFT – MarcoPolo11 Jul 18 '18 at 09:53
  • I can reproduce this issue with Self-Signed device too. I'm not sure if Self-Signed device supports MQTT communication directly at this moment.Have you tried to test this issue with X.509 CA signed device? I would works. @MarcoPolo11 – Michael Xu Jul 18 '18 at 10:02

2 Answers2

0

I have tried with CA certificatre Device where i settle the certificate first on the iot hub and verify it with the client and either way it doesn't work.

I didn't use Powershell so I can't tell... I used openssl

Used openssl in order to create the CA certificate and then with a client certificate with a CN of the verification generated code I verified the Certificate.

enter image description here

enter image description here

And now about the codeHow do I settle the certificates and which format since in powershell talk about chained key and everything but it doesn't specify what it demands.

Should it be: Azure Baltimore certificate first?? CA certificate CA key

or CA Certificate Client certificate verificated CN Client key

(And with which extension??)

path_to_root_cert = "C:/Users/../digicert.cer"
device_cert = "C:/Users//../m2mqtt_ca.cer"
device_key = "C:/Users//../m2mqtt_ca.key"

client.tls_set(ca_certs=path_to_root_cert, certfile=device_cert, keyfile=device_key, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)

@Michael Xu - MSFT

Community
  • 1
  • 1
MarcoPolo11
  • 81
  • 1
  • 1
  • 11
  • How did you use the openssl to create the certificate, or could you provide the command detail steps? What is the `Common Name` in your certificate? In fact the `Common Name` should be the device name. – Michael Xu Jul 19 '18 at 03:38
  • Used this web and other links -> https://dzone.com/articles/secure-communication-with-tls-and-the-mosquitto-broker, (Over mosquitto broker I made it work) CN of my CA.crt is my own name and the CN of the client is the Generated verification code that azure ask for to verify the certificate. @Michael Xu - MSFT – MarcoPolo11 Jul 19 '18 at 08:31
  • I mean that the CN name for the device is what.Did it match with the device name in IoT Hub? – Michael Xu Jul 19 '18 at 08:43
  • No it doesn't, the CN of the main certificate is just my name not the device one, then should have the CA with a CN of the Device and the client certificate has the verification code to verify it as its CN right? – MarcoPolo11 Jul 19 '18 at 09:08
  • No, you should use the CN as the device name when you create the client certificate. – Michael Xu Jul 19 '18 at 09:14
  • Are you talking about CA Signed? – MarcoPolo11 Jul 19 '18 at 09:17
  • In CA Signed i post a CA and to verify it azure asks for a certificate with a CN of the Generated code verification as shown in te picture to verify it which would be the client one – MarcoPolo11 Jul 19 '18 at 09:18
  • But on the x509 self-signed I attach athumbprint and the client certificate CN has to be the Device from the iothub is that what you mean that I should be using? – MarcoPolo11 Jul 19 '18 at 09:20
  • Yes, i was talking about CA Signed. For self-signed, i could not work too. – Michael Xu Jul 19 '18 at 09:21
  • CA Signed then. CA certificate should have the device CN?? or the client one? if its the client then I have to create a certificate with a CN =Device name signed by the CA cert and then on the other hand I have another client certificate I created Signed by the CA with a CN of the Generated verification code that will be used just to verificate its CA certificate and will be not used anymore. – MarcoPolo11 Jul 19 '18 at 09:33
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/176312/discussion-between-michael-xu-msft-and-marcopolo11). – Michael Xu Jul 19 '18 at 09:35
0

The password field for x509 device should be "None" Reference: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support

user18299364
  • 1