Versions Compared

Old Version 1

changes.mady.by.user Nathan Davenport

Saved on

compared with

New Version Current

changes.mady.by.user Nathan Davenport

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The certificate-based authentication for Azure IoT Hub works like this:

  • A root certificate used to sign device certificates will be created and added into Azure IoTHubIoT Hub.
  • For each IoT device we want to authenticate, we will create a separate client certificate, signed by the same certificate authority.
  • At the time of the authentication, our IoT device will present the client certificate as the proof of identity.
  • Azure IoT Hub will verify the identity based on the root certificate and the device name.


The certificate-based authentication for Azure Event Hub works like this:

  • For each IoT device we want to authenticate, we will create a separate client certificate, signed by the same certificate authority.
  • Each IoT device certificate will be added to an Azure Service Principal (via an Application Registration).
  • At the time of the authentication, our IoT device will present the client certificate as the proof of identity.
  • Azure IoT Event Hub will verify the identity based on the device certificate and the device private key.


This document details how to create the certificate authority, a root certificate, and a device certificate along with adding the required certificates to both the Azure IoT Hub and Azure Injector configurations.

Table of Contents


Tip

The command line tools openssl and keytool are used.

Install the OpenSSL command line tool and add the OpenSSL PATH in the Windows environment variables if necessary.

Keytool is part of the standard java distribution and is located in the bin sub-directory of your jdk installation directory. Add the keytool PATH in the Windows environment variables if necessary.

You will need to restart any open command window to pick up this configuration change.

...

  1. Generate private key in PSCK8 format (CertDevice.key) for the device using the command below.

    Code Block
    openssl genrsa -out certs/device/CertDevice.key 4096


  2. Generate a Certificate Signing Request (CSR) for the device using the command below. This command generates a new CSR named "CertDevice.csr’ using the RSA private key "CertDevice.key".

    Code Block
    openssl req -new -key certs/device/CertDevice.key -out certs/device/CertDevice.csr


    Note
    There are a number of fields associated with the creation of the certificate. Fill them out with your relevant details.


    Code Block
    titleExample Device CSR Creation
    $ openssl req -new -key certs/device/CertDevice.key -out certs/device/CertDevice.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:KS
Locality Name (eg, city) []:Stilwell
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cirrus Link Solutions
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:Device01
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: $


    Warning
    The

    If generating certificates for Azure IoT Hub use, the Common Name or FQDN must match the name of the logical Device Id in IoT Hub. In our example the Device Id is Device01. This is not a requirement if generating certificates for Azure Event Hub use.


  3. Sign the Device CSR with the Device CA using the command below. This command will sign the CSR "CertDevice.csr" with the Root CA certificate ‘ca.crt’ and Root CA's RSA private key ‘ca.key’, creating a new X.509 certificate named ‘CertDevice.crt’ valid for 365 days (1 year). You will be required to enter the passphrase associated with the private key file "ca.key".

    Code Block
    openssl x509 -req -in certs/device/CertDevice.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out certs/device/CertDevice.crt -days 365


  4. Azure will need the certificate in PEM format. Convert the CRT format to PEM format using the command below:

    Code Block
    openssl x509 -in certs/device/CertDevice.crt -out certs/device/CertDevice.pem -outform PEM


...

iotcerts/
├── ca/
│   ├── ca.crt
│   ├── ca.pem
│   ├── ca.key
└── certs/
    ├── device/
       ├── CertDevice.crt
       ├── CertDevice.pem
       ├── CertDevice.csr
       └── CertDevice.key

Add Root Certificate to IoT Hub

  • On the IoT Hub resource Overview page, click “Certificates” menu on the left blade, and click the “Add” button.Image Removed
  • Give a certificate name (eg. MyOrg RootCertificate) and import the ca.pem file from your iotcerts/ca folder. Check the “Set certificate status to verified on upload” checkbox and click Save.
    Image Removed

Add device certificates to Azure Injector IoT Hub configuration

Navigate to the Azure Injector > Settings > Azure IoT Hubs > Certificates and add the certificates as shown below:

...

Image Removed

Update the Azure Injector > Settings > Azure IoT Hubs > Settings configuration to use the certificates as shown below. Note : the certificates created do not use a Password

Image Removed

...