0

I try to set an Azure DPS with the authentication type "x509 CA certificate". Everything works except the IoT hub shows devices provisioned with DPS as "X509 self-signed" instead of "Certificate Authority".

pic

With devices directly created on IoT Hub (NOT via DPS), authenticated types are set to Certificate Authority. This is the behavior I want to reproduce with devices created from DPS.

pic

My DPS enrollment group settings:

pic

For testing, I'm using the IoT-Sdk-CSharp and follow this sample.

Do you know what I have to change in DPS for my devices to appear with the "Certificate Authority" authentication type?

Thank you for your help. Have a nice day.

Sampath
  • 810
  • 2
  • 2
  • 13
Théo Brilland
  • 3
  • 3
  • Refer this Tutorial Create a root certificate authority and use it to create subordinate CA and client certificates that you can use for testing purposes with [Azure IoT Hub](https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-overview#authenticate-devices-signed-with-x509-ca-certificates) – Sampath Aug 11 '23 at 04:48
  • Yes I followed all the steps, it works correctly with manually created devices on IoT Hub – Théo Brilland Aug 11 '23 at 06:56
  • AFIK, we have to manually create – Sampath Aug 11 '23 at 06:59
  • Are you sure ? Because in [this](https://github.com/Azure/azure-iot-sdk-csharp/tree/previews/v2/provisioning/device/samples/solutions/BestPracticeSampleX509) tutorial (only available on c# sdk), they use DPS and CA certificate – Théo Brilland Aug 11 '23 at 07:19
  • Refer to this Provision multiple X.509 devices using enrollment [groups](https://learn.microsoft.com/en-us/azure/iot-dps/tutorial-custom-hsm-enrollment-group-x509?tabs=linux&pivots=programming-language-csharp) – Sampath Aug 14 '23 at 07:15
  • Once you get a valid certificate from a trusted Certified Authority, the authentication for the devices will display as 'X509 CA Signed' instead of 'Self-Signed X509 Certificate'. Please refer this resource X.509 certificate [attestation](https://learn.microsoft.com/en-us/azure/iot-dps/concepts-x509-attestation) – Sampath Aug 14 '23 at 12:07
  • The provided script, X509DpsSetup.ps1 creates X.509 test certificates. They are provided for demonstration purposes only and MUST NOT be used for production. For a production environment, we recommend using X.509 certificate authority (CA) certificates and your own best practices for certificate lifetime management in [waring](https://github.com/Azure/azure-iot-sdk-csharp/tree/previews/v2/provisioning/device/samples/solutions/BestPracticeSampleX509#warning) – Sampath Aug 14 '23 at 22:25

1 Answers1

0

The authentication for the devices will show as "X509 CA Signed" rather than "Self-Signed X509 Certificate" once you obtain a legitimate certificate from a reliable Certified Authority. Please refer to this resource X.509 certificate attestation. (or) We need to add the root CA certificate to the IoT Hub. You can add the root CA certificate by selecting + Add in the Certificates section of the IoT Hub and uploading the root CA certificate file. Make sure to select the box next to Set certificate status to verified on upload. If you didn't choose to automatically verify the certificate during upload, you can manually prove possession by generating a verification code and creating a certificate that contains the verification code. You can then upload the verification certificate to your provisioning service in the Certificate Details dialog and select Verify.

  • Sample example Provision X.509 devices to Azure IoT Hub using a DPS enrollment group -- Used this link for az iot dps enrollment-group from MSDOC.

  • Replace the your resourcegroupname, dpsname, enrollment_id, registration_id. It gives derived-device-key or PROVISIONING_SYMMETRIC_KEY.

az iot dps enrollment-group compute-device-key -g {resourcegroupname} --dps-name {dpsname} --enrollment-id {enrollmentid} --registration-id {registrationid}

  • Above steps are for Provision a simulated symmetric key device

  • Code reference Provision multiple X.509 devices using enrollment groups

enter image description here

  • Refer to this for azure-docs/articles/iot-dps/tutorial-custom-hsm-enrollment-group-x509.md at main.
Sampath
  • 810
  • 2
  • 2
  • 13
  • Hello. Thank you for answer. I've added and verify my certificates to the IoT Hub and DPS, but my device still appears self signed (I'm not using X509 thumbprints). I think it's the same problem described [here](https://learn.microsoft.com/en-us/answers/questions/1132027/dps-enrollment-to-iothub-with-self-signed-vs-ca-ce) Maybe it's because my root CA is self signed ? Or naming problem between DPS and IoT Hub ? – Théo Brilland Aug 28 '23 at 08:08
  • @ThéoBrilland Yes, it same problem He also said that Once you get a valid certificate from a trusted Certified Authority, the authentication for the devices will display as 'X509 CA Signed' instead of 'Self-Signed X509[Certificate](https://learn.microsoft.com/en-us/answers/questions/1132027/dps-enrollment-to-iothub-with-self-signed-vs-ca-ce). – Sampath Aug 28 '23 at 08:17
  • Ok perfect. Thank you very much ! – Théo Brilland Aug 28 '23 at 08:32