Versions Compared

Old Version 5

changes.mady.by.user Gill Houghton

Saved on

compared with

New Version 6

changes.mady.by.user Gill Houghton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anchor
DeviceCert
DeviceCert
Generate Device Certificate

  1. Generate private key in PSCK8 format (device.key) for the device using the command below.

    Code Block
    openssl genrsa -out certs/device/device.key 4096


  2. Generate a Certificate Signing Request (CSR) for the device using the command below. This command generates a new CSR named "device.csr’ using the RSA private key "device.key".

    Code Block
    openssl req -new -key certs/device/device.key -out certs/device/device.csr


    Note
    There are a number of fields associated with the creation of the certificate. Fill them out with your relevant details.


    Code Block
    titleExample Device CSR Creation
    $ openssl req -new -key certs/device/device.key -out certs/device/device.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:KS
Locality Name (eg, city) []:Stilwell
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cirrus Link Solutions
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:Device01
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: $


    Note
    The Common Name or FQDN must match the name of the logical Device Id in IoT Hub. In our example the Device Id is Device01


  3. Sign the Device CSR with the Device CA using the command below. This command will sign the CSR "device.csr" with the Root CA certificate ‘ca.crt’ and Root CA's RSA private key ‘ca.key’, creating a new X.509 certificate named ‘device.crt’ valid for 365 days (1 year). You will be required to enter the passphrase associated with the private key file "ca.key".


    Code Block
    openssl x509 -req -in certs/device/device.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out certs/device/device.crt -days 365



Note

A unique client certificates will be required for each logical Device Id.

If you have multiple devices, you will need to expand your folder structure adding an appropriate folder for each device and run the Generate Client Certificate steps for each device amending the commands above appropriately. 

...