The certificate-based authentication for Azure IoT works like this:
This document details how to create the certificate authority, a root certificate, and a device certificate along with adding the required certificates to both the Azure IoT Hub and Azure Injector configurations.
You will also need the CA certificate that signed the SSL certificate being used on the Azure IoT Hub server to include in the Azure Injector configuration |
The command line tools openssl and keytool are used. Install the OpenSSL command line tool and add the OpenSSL PATH in the Windows environment variables if necessary. Keytool is part of the standard java distribution and is located in the bin sub-directory of your jdk installation directory. Add the keytool PATH in the Windows environment variables if necessary. You will need to restart any open command window to pick up this configuration change. |
As a first step, we need to generate the certificate hierarchy.
Create the following folder structure on your local drive to hold the various certificates in the hierarchy that we will be generating:
iotcerts/
├── ca/
└── certs/
├── device/
These are the steps that need to be completed for the certificate hierarchy:
Generate a private key file (ca.key) for the Root CA using the command below. You may choose to enter a passphrase to be associated with the ca.key file as well.
Make note of this passphrase if you set one for the Root CA private key file (ca.key) as it will be used multiple times. |
openssl genrsa -des3 -out ca/ca.key 4096 |
Generate a self-signed certificate (ca.crt) for the Root CA using the command below. This command generates a new self-signed X.509 certificate named "ca.crt" valid for 3650 days (10 years) using the RSA private key "ca.key". You will be required to enter the pass phrase associated with the private key file "ca.key".
openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt |
There are a number of fields associated with the creation of the certificate. Fill them out with your relevant details. |
$ openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt Enter pass phrase for ca/ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:KS Locality Name (eg, city) []:Stilwell Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cirrus Link Solutions Organizational Unit Name (eg, section) []:Support Common Name (e.g. server FQDN or YOUR name) []:CLS Example Root CA Email Address []: $ |
Azure will need the certificates in PEM format. Convert the CRT format to PEM format using the command below.
openssl x509 -in ca/ca.crt -out ca/ca.pem -outform PEM |
You should have the following files created:
iotcerts/
├── ca/
├── ca.crt
├── ca.pem
├── ca.key
Depending on the version of openSSL that you are using, you may see additional .srl files created which contain the signed certificate's unique serial number. These files are not used directly by the modules and not included in the certificate hierarchy displayed above. |
Generate private key in PSCK8 format (CertDevice.key) for the device using the command below.
openssl genrsa -out certs/device/CertDevice.key 4096 |
Generate a Certificate Signing Request (CSR) for the device using the command below. This command generates a new CSR named "CertDevice.csr’ using the RSA private key "CertDevice.key".
openssl req -new -key certs/device/CertDevice.key -out certs/device/CertDevice.csr |
There are a number of fields associated with the creation of the certificate. Fill them out with your relevant details. |
$ openssl req -new -key certs/device/CertDevice.key -out certs/device/CertDevice.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:KS Locality Name (eg, city) []:Stilwell Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cirrus Link Solutions Organizational Unit Name (eg, section) []:Support Common Name (e.g. server FQDN or YOUR name) []:Device01 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ |
The Common Name or FQDN must match the name of the logical Device Id in IoT Hub. In our example the Device Id is Device01 |
Sign the Device CSR with the Device CA using the command below. This command will sign the CSR "CertDevice.csr" with the Root CA certificate ‘ca.crt’ and Root CA's RSA private key ‘ca.key’, creating a new X.509 certificate named ‘CertDevice.crt’ valid for 365 days (1 year). You will be required to enter the passphrase associated with the private key file "ca.key".
openssl x509 -req -in certs/device/CertDevice.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out certs/device/CertDevice.crt -days 365 |
Azure will need the certificate in PEM format. Convert the CRT format to PEM format using the command below:
openssl x509 -in certs/device/CertDevice.crt -out certs/device/CertDevice.pem -outform PEM |
A unique client certificate will be required for each logical Device Id. If you have multiple devices, you will need to expand your folder structure adding an appropriate folder for each device and run the Generate Client Certificate steps for each device amending the commands above appropriately. |
You should now have the following files created:
iotcerts/
├── ca/
│ ├── ca.crt
│ ├── ca.pem
│ ├── ca.key
└── certs/
├── device/
├── CertDevice.crt
├── CertDevice.pem
├── CertDevice.csr
└── CertDevice.key
Navigate to the Azure Injector > Settings > Azure IoT Hubs > Certificates and add the certificates as shown below:
Friendly Name | Certificate Filename | File Description | File Location |
---|---|---|---|
CACertificate | The CA Certificate that signed the SSL cert being used on the IoTHub server | ||
DeviceCertificate | CertDevice.pem | Device Certificate | iotcerts/certs/device/CertDevice.pem |
DeviceKey | CertDevice.key | Device Private Key | iotcerts/certs/device/CertDevice.key |
Update the Azure Injector > Settings > Azure IoT Hubs > Settings configuration to use the certificates as shown below. Note : the certificates created do not use a Password
Verify the connection is established as shown by the Status on the Azure Injector > Settings > Azure IoT Hubs view