I've read from here and here that every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it. Otherwise the IoT Edge runtime will install a temporary certificate lasting 90 days, at the end of which the runtime must be restarted. Since I've a lot of different edge devices to manage and it's unfeasible to do manual operations such as moving certificates inside each provisioned device and modifying manually the config.yaml file of the edge runtime, what can be done in order to proper set up production certificates automatically?
Asked
Active
Viewed 697 times
1
-
1Did you consider using DPS? With the Azure IoT Hub Device Provisioning Service (DPS), you can automatically provision IoT Edge devices using X.509 certificates. see [Create and provision an IoT Edge device using X.509 certificates](https://learn.microsoft.com/en-us/azure/iot-edge/how-to-auto-provision-x509-certs?view=iotedge-2018-06&tabs=windows) – AshokPeddakotla Jul 29 '21 at 13:27
-
@AshokPeddakotla-MSFT I've read that IoT Edge uses 2 types of certificates: the Device identity certificates that are only used for provisioning the IoT Edge device and authenticating the device with Azure IoT Hub, that are the ones used in the article you linked, and the signing certificates, used to secure connections between the different components on an IoT Edge device or between an IoT Edge device and any leaf devices, as explained [here](https://learn.microsoft.com/en-us/azure/iot-edge/iot-edge-certs?view=iotedge-2018-06). How can I manage these last certificates automatically? – Xela95 Jul 30 '21 at 07:14