Versions Compared

Old Version 2

changes.mady.by.user Gill Houghton

Saved on

compared with

New Version Current

changes.mady.by.user Nathan Davenport

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Generating Certificates

See step-by-step instructions for generating certificates to be used for certificate based authentication here.

Add Root Certificate

The certificate-based authentication for Azure IoT works like this:

  • There will be a root certificate signed by a certificate authority.
  • The root certificate will be uploaded to the Azure IoT Hub.
  • For each IoT device we want to authenticate, we will create a separate client certificate, signed by the same certificate authority.
  • At the time of the authentication, our IoT device will present the client certificate as the proof of identity.
  • Azure IoT Hub will verify the identity based on the root certificate and the device name.

This document details how to create a certificate authority, a root certificate, and the client certificate(s).

Tip

The command line tools openssl and keytool are used.

Install the OpenSSL command line tool and add the OpenSSL PATH in the Windows environment variables if necessary.

Keytool is part of the standard java distribution and is located in the bin sub-directory of your jdk installation directory. Chariot includes a java distribution under the <chariot_install_dir>/lib/runtime/jdk11.0.12_7/bin folder. Add the keytool PATH in the Windows environment variables if necessary.

You will need to restart your any open command window to pick up this configuration change.

As a first step, we need to generate the certificate hierarchy. 

Create the following folder structure on your local drive to hold the various certificates in the hierarchy that we will be generating:

iotcerts/
├── ca/
└── certs/
    ├── device/

These are the steps that need to be completed for the certificate hierarchy:

  • Generate Root CA

  • Generate Client certificate signed with the Root CA’s private key

Create Root Certificate

Generate a private key file (ca.key) for the Root CA using the command below. You may choose to enter a passphrase to be associated with the ca.key file as well.

Tip
Make note of this passphrase if you set one for the Root CA private key file (ca.key) as it will be used multiple times.
Code Block
openssl genrsa -des3 -out ca/ca.key 4096

Generate a self-signed certificate (ca.crt) for the Root CA using the command below. This command generates a new self-signed X.509 certificate named "ca.crt" valid for 3650 days (10 years) using the RSA private key "ca.key". You will be required to enter the pass phrase associated with the private key file "ca.key". 

openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt

There are a number of fields associated with the creation of the certificate. Fill them out with your relevant details.
Example CA Creation

$ openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt
Enter pass phrase for ca/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:KS
Locality Name (eg, city) []:Stilwell
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cirrus Link Solutions
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:CLS Example Root CA  
Email Address []:
$

You should have the following files created: 

chariotcerts/
├── ca/
   ├── ca.crt
   ├── ca.key

...

Create Client (Device) Certificate

...

to IoT Hub

  • On the IoT Hub resource Overview page, click “Certificates” menu on the left blade, and click the “Add” button.

...

  • Image Added
  • Give a certificate

...

  • name (eg.

...

  • MyOrg RootCertificate) and import the

...

  • ca.pemfile from your iotcerts/ca folder. Check the “Set certificate status to verified on upload” checkbox and click Save.

...


  • Image Added

Add device certificates to Azure Injector IoT Hub configuration

Navigate to the Azure Injector > Settings > Azure IoT Hubs > Certificates and add the certificates as shown below:

Friendly NameCertificate FilenameFile DescriptionFile Location
CACertificate




DeviceCertificateCertDevice.pemDevice Certificateiotcerts/certs/device/CertDevice.pem
DeviceKeyCertDevice.keyDevice Private Keyiotcerts/certs/device/CertDevice.key

Image Added

Update the Azure Injector > Settings > Azure IoT Hubs > Settings configuration to use the certificates as shown below. Note : the certificates created do not use a Password

Image Added

Verify the connection is established as shown by the Status on the Azure Injector > Settings > Azure IoT Hubs view
Image Added

...

Click Save.

Create Logical Device myiotdevice1
On the resource Overview page, click “Devices” menu on the left blade, and click “Add Device” button.

...

In the “Create a device” page that appears, give myiotdevice1 as the Device Id.

Note
Note that this name must match the commonName/FQDN we used when generating the client (device) certificate above.

Select Authentication type X.509 CA Signed. Keep “Connect this device to an IoT Hub” as Enabled.

...