2

I am following the Device Provisioning Example for the MXChip IoT DevKit at Azure MXChip IoT DevKit DPS and have a question regarding X.509 certificates.

When I follow the sample everything works correctly. However, when I change the code on the device and upload the modified code I am getting the following error:

{"errorCode":401002,"trackingId":"3f308efd-9274-4a7a-8994-56781ce87942","message":"Invalid certificate.","timestampUtc":"2020-06-18T00:29:58.411225Z"}

Upon further investigation it looks like I have to create a new X.509 certificate each time I change the code. Is this proper behavior? I cannot seem to find any explanation for this and was hoping someone could give me info on the reason for the error. I'm guessing it does CRC checks (or similar) between the code and the certificate to validate the code hasn't been tampered with.

Can someone please verify this? Thanks.

SatishBoddu
  • 752
  • 6
  • 13
TheTurkishDeveloper
  • 187
  • 8
  • Yeah I too can repro this issue,the re-provision concept of the device tells us to update the certificate every time a device tries to connect to IoTHub via DPS , keeping security in mind,admin has to generate the new x509 cert with every code change on same device ID. Please see [How to reprovision devices](https://docs.microsoft.com/en-us/azure/iot-dps/how-to-reprovision), & [IoT Hub Device reprovisioning concepts](https://docs.microsoft.com/en-us/azure/iot-dps/concepts-device-reprovision)& [Gitter](https://gitter.im/Microsoft/azure-iot-developer-kit), let me know your thoughts on this. – SatishBoddu Jun 19 '20 at 03:37

1 Answers1

1

This is the response from Microsoft/azure-iot-developer-kit Gitter forum.

Yes, the certificate that the MXChip presents to DPS/IoT Hub is effectively the signature of the actual binary, using the unique device secret as the key for signing. Therefore, everytime the binary code changes you will want to re-run the command line tool that can simulate the certificate that MXChip will automatically generate on the fly, and configure this cert in your DPS enrollment.

SatishBoddu
  • 752
  • 6
  • 13