0

I have a software solution for IoT edge i.e. I have a exe and rpm installer that consists of the edge installation. The exe and the rpm will be installed on windows and Linux machine respectively.

I need to secure my edge device cert and private key on the windows and Linux machine, so that if compromised one level of security is at least rather than not having any security.

Possible solutions I was thinking of:-

Fetch a .pfx file from PKI and use that in edge config.toml. I think edge doesn't work with .pfx file and it needs the cert and private key to connect to IoT Hub. Also I didn't see any option in config.toml to mention the passphrase of the pfx file so that edge can decrpyt the pfx file itesef. Please confirm on this understanding is correct or not.

I was thinking to have my custom encryption algorithm to encrypt the cert and private key and decrypt that during the installation process of edge before doing the provisioning. Once provisioning is done by edge device, I will delete the decrypted files. Question on this is - Is it that edge requires the certificate again anytime, as I think the provisioning is done only once and not again and again and cert and private key is meant for provisioning only.

I was thinking to rotate my certs and key every 5 days. I know device will reconnect using the new cert and key but what if someone uses the old cert and key and tries to provision the device. Will that also provision as logically the cert chain of the old cert is same the new one?

Note:- I don't have access to the windows or linux machine as that is of end customer so I don't have an option to save the cert and key file in TPM or HSM

iAviator
  • 1,310
  • 13
  • 31
  • 1
    Hello, @iAviator 1. yes doesn't work with .pfx file azureIot accepts the certificate type of .pem or .cer file. – Sampath Jul 20 '23 at 00:10
  • 3. AFIK, if the old certificate is connected Azure IoT hub with Expire time it will use. if reconnecting using the new cert and key then for the provision we have to use new. – Sampath Jul 20 '23 at 00:46
  • 2. the primary Thumbprint of the certificate is used which allows the device to communicate with Azure the IoT edge. test with c# as well. we connect the Azure IoT hub with a thumbprint or certificate after provisioning we can connect to the device. After provisioning we delete the certificate the basic details like certification creation date, Expire date, thumbprint information, etc will be deleted and it connects with the code as well. AFIK, It's good to keep a certificate after provisioning. – Sampath Jul 20 '23 at 02:28
  • @Sampath for point 3. you mean old certificate will work if lets say its compromised and used by some other person to connect to IoT Hub. Is that correct understanding? – iAviator Jul 20 '23 at 05:14
  • @Sampath For point 2. you said you have tested in c# and it works if I delete the .cer and .pem file as the connection is done using thumbprint. Is that correct understanding? If yes, I was thinking to delete those and decrypt the .pfx file again on demand when needed by azure iot edge. – iAviator Jul 20 '23 at 05:16
  • yes, Old works with Expire time until new provisioning is used to Azure IoT hub @iAviator after new provisioning it will use a new thumbprint. – Sampath Jul 20 '23 at 05:23
  • yes, the connection can be done by using a thumbprint. – Sampath Jul 20 '23 at 05:54
  • @Sampath for your reply on point 3 once new cert is used, then the old cert will overwrite the thumbprint of the new one in cloud if provisioned? – iAviator Jul 20 '23 at 06:14
  • after provision of Azure iot Hub/ reconnect with the new cert and key. we can used new only – Sampath Jul 20 '23 at 06:15
  • ok so that means DPS has a list of records which cert is valid and which is not? – iAviator Jul 20 '23 at 06:16
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/254588/discussion-between-sampath-and-iaviator). – Sampath Jul 20 '23 at 06:20

1 Answers1

0
  • Azure IOT accepts the certificate type of .pem or .cer file. we can convert with a .pfx file to a .pem or .cer file.

To convert a certificate to CERT:

 $certFilePath = "C:\Path\to\certificate.cer"
 Export-Certificate -Cert $cert -FilePath $certFilePath -Type CERT

enter image description here

  • We can use thumbprint Authentication to Azure IoT Edge.

  • Sample Code used for Connection of Azure IoT Edge with thumbprint.

static async Task Main(string[] args)
    {
       
        var thumbprint = "F1B818DD16E92042022622AD6777E4030C207E59";

  
        var auth = new DeviceAuthenticationWithX509Certificate("sam", GetCertificateByThumbprint(thumbprint));

   
        var DClnt = DeviceClient.Create("sampath123.azure-devices.net", auth, TransportType.Mqtt);

        try
        {
            var msg = new Message(Encoding.ASCII.GetBytes("Test message"));
            await DClnt.SendEventAsync(msg);
            Console.WriteLine("Message sent successfully!");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Failed to send message: {ex.Message}");
        }
        finally
        {
      
            await DClnt.CloseAsync();
        }
    }

    private static X509Certificate2 GetCertificateByThumbprint(string thumbprint)
    {
        X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly);
        X509Certificate2Collection certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false);
        store.Close();

        if (certCollection.Count == 0)
        {
            throw new Exception($"Certificate with thumbprint '{thumbprint}' not found.");
        }

        return certCollection[0];
    }
}
  • After provision of Azure IoT Hub (or) reconnect with the new cert and key. we can use new only.

enter image description here

In Azure to Monitor:

enter image description here

Sampath
  • 810
  • 2
  • 2
  • 13