I'm deploying Edge Modules for protocol translation and using certificates to secure communication.
The certificates are currently placed inside the module container which would require the modules to be rebuilt and redeployed when certs change.
I'm looking for a better solution such as an azure key vault to pull down certs from and avoid rebuild/redeploy process.
Are people aware of such an option and implementation details?
The IoT Edge daemon has an API for acquiring server certificates chained to the CA certificate configured in the daemon's config.yaml. It sets the config's hostname field as the server certificate's CN field.
This is the API the Edge Hub uses to acquire a certificate for its TLS.
Unfortunately, there is no nice client library to interact with this API. However, this is a published swagger file defining the API that can be used to generate a client in the language of your choice.
Swagger definition: https://github.com/Azure/iotedge/blob/master/edgelet/api/workloadVersion_2019_01_30.yaml#L177
The Edge Hub actually uses this swagger definition to generate a C# client to receive its certificates. The code is in a utils assembly in the IoT Edge codebase. https://github.com/Azure/iotedge/tree/master/edge-util/src/Microsoft.Azure.Devices.Edge.Util/edged (A nuget package hasn't been created for this, but with a little work, you should be able to make use of this API).
The Edge Hub uses this code here: https://github.com/Azure/iotedge/blob/master/edge-hub/src/Microsoft.Azure.Devices.Edge.Hub.Service/CertificateRenewal.cs
