Filter results by

Azure IoT – Enrollment by X.509 Certificate

Enrolling with the Azure IoT Hub by X.509 certificate provides the base credentials for determining whether a device should be allowed to connect. It involves generation of keys and certificates that are then enrolled with the hub.

In this article, we demonstrate key/certificate generation through a C application supplied in the Azure IoT C SDK. We'll show you two different ways to enroll.

  • Individual

  • Group

The group method is likely the one you'll use in production, but you may want to use the individual method for testing.

Enrollment Models

Location

For a production device, there will be two possibilities for provisioning the device with keys and certificates.

On the factory floor. In one manufacturing scenario, key and certificate generation and management would be done on a secure system on the factory floor, using scripts and possibly a Hardware Security Module (HSM). This facility programs a device key into the ARTIK module Secure Storage and copies the corresponding certificate onto the board. This method allows the certificates to be "white listed" ahead of time.

In this scenario, no key generation software needs to be present on the module itself. A form of the C application code demonstrated here would be present on the factory floor equipment that pre-provisions the modules.

On the device. ARTIK modules provide a means of generating keys and certificates securely, making them ideal for such an application. No "white listing" is used; instead, an enrolled certificate can be revoked and any chip identifiers (such as MAC address) can be kept to prevent future connection.

In this scenario, a form of the C application code demonstrated here would be installed on each module. At connect time, the module software would be used to generate a key and certificate at the moment it is needed and utilized by the C application to perform the enrollment.

Application

Because we need to install and use the SDK on your ARTIK board for other tutorials anyway, we can use that same board as a generic Linux environment to emulate the factory floor equipment. As a result, we will discuss just a single approach of generating all certificates from the ARTIK board demo application. Adjust the model as needed to meet your needs.

Installing C SDK

To enroll a device or group of devices that are to be authenticated using an X.509 certificate (refer to X.509 CA certificate security concepts), we make use of Azure’s sample certificate generator application included with the Azure IoT C SDK.

Prerequisites

Set up the Azure

  • IoT Hub
  • Device Provisioning Service

Refer to the introductory article for links and ARTIK-specific information.

Install dependencies

apt update
apt install git
apt install build-essential
apt install cmake
apt install uuid-dev
apt install libssl-dev
apt install curl libcurl4-openssl-dev

Clone the Azure IoT C SDK

git clone https://github.com/Azure/azure-iot-sdk-c.git --recursive

Build the C SDK

cd azure-iot-sdk-c

mkdir cmake

cd cmake

cmake -Duse_prov_client:BOOL=ON ..

make

Look for the dice_device_enrollment application under the directory

azure-iot-sdk-c/cmake/provisioning_client/tools/dice_device_enrollment

Hereafter, we'll refer to it simply as the "enrollment application".

Individual Enrollment

For individual enrollment, each of the devices is signed into a certificate chain of trust by the X.509 CA – in our demonstration case, the device itself acts as CA. Refer to the X.509 CA certificate security overview.

  1. Run the enrollment application and select Individual enrollment to obtain the device certificates (primary and secondary).

    ./dice_device_enrollment

    Would you like to do Individual (i) or Group (g) enrollments: i
    Device certificate:
    
    -----BEGIN CERTIFICATE-----
    MIICIDCCAcagAwIBAgIFCgsMDQ4wCgYIKoZIzj0EAwIwOzEZMBcGA1UEAwwQcmlvdC1zaWduZXItY29yZTELMAkGA1UEBgwCVVMxETAPBgNVBAoMCE1TUl9URVNUMB4XDTE3MDEwMTAwMDAwMFoXDTM3MDEwMTAwMDAwMFowOzEZMBcGA1UEAwwQcmlvdC1kZXZpY2UtY2VydDELMAkGA1UEBgwCVVMxETAPBgNVBAoMCE1TUl9URVNUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXl8k/JM5Trrd+T2hCzH8J8FzdMo+nqEBctNE0wUQWesM+QbsF1PBmEHxb/FpqegLlleJW4niMxaN8z3J7T/imKOBtjCBszATBgNVHSUEDDAKBggrBgEFBQcDAjCBmwYGZ4EFBQQBBIGQMIGNAgEBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdgvxWvX6LURj6RDfdXUY30+4hz8gZ6cf25VifQhb3wPuuZTxr09nLslUYdF42qA6VsIUj1fym6mLv2K6agLvvTAtBglghkgBZQMEAgEEIGvpsYTJN8KOEi7uUSto6o4Aw90VnqToXoTLqWb0Rs1OMAoGCCqGSM49BAMCA0gAMEUCIFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KbDtANfAiEAuqG9PPKcd3Fntf5c2icXfIFRXtSWOpZcR8iNnFwtN5g=  
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBhTCCASugAwIBAgIFDg0MCwowCgYIKoZIzj0EAwIwNDESMBAGA1UEAwwJcmlvdC1yb290MQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwHhcNMTcwMTAxMDAwMDAwWhcNMzcwMTAxMDAwMDAwWjA7MRkwFwYDVQQDDBByaW90LXNpZ25lci1jb3JlMQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR2C/Fa9fotRGPpEN91dRjfT7iHPyBnpx/blWJ9CFvfA+65lPGvT2cuyVRh0XjaoDpWwhSPV/KbqYu/YrpqAu+9oyMwITALBgNVHQ8EBAMCAAQwEgYDVR0TAQH/BAgwBgEB/wIBATAKBggqhkjOPQQDAgNIADBFAiBRXD1uueOWuQTT/sp/VP3NDMHpl783XcpRWtCmw7QDXwIhAKOszfUHSFg/pp+MMtaHk9msAxWOR+00HJy7V4pv/MiO
    -----END CERTIFICATE-----
    
    Press any key to continue:
    
    
  2. Copy the contents from
    -----BEGIN CERTIFICATE-----
    to
    -----END CERTIFICATE-----
    and store it in files called certificate.pem and certificate_2.pem.

  3. Enroll an IoT device.
    1. Select the “Device Provisioning Service” resource that you created here and choose “Manage enrollments”.
    2. Click on “Add individual enrollment”
      • Choose the mechanism as “X.509”
      • Upload the device certificate
      • Type the device id for the new IoT device
      • Make sure that the DPS is linked to the right Azure IoT hub resource
      then click “Save”.

    3. Under “Individual enrollment”, locate the REGISTRATION ID.

Group Enrollment

With group enrollment of a device type, all of the device entries are associated with a specific intermediate or root CA certificate. These entries control enrollments for all devices that have that intermediate or root certificate in their certificate chain.

  1. Run the enrollment application and select Group enrollment to obtain the root certificate.

    ./dice_device_enrollment

    Would you like to do Individual (i) or Group (g) enrollments: g
    
    root cert:
    
    -----BEGIN CERTIFICATE-----
    MIIBfTCCASSgAwIBAgIFGis8TV4wCgYIKoZIzj0EAwIwNDESMBAGA1UEAwwJcmlvdC1yb290MQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwHhcNMTcwMTAxMDAwMDAwWhcNMzcwMTAxMDAwMDAwWjA0MRIwEAYDVQQDDAlyaW90LXJvb3QxCzAJBgNVBAYMAlVTMREwDwYDVQQKDAhNU1JfVEVTVDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGmrWiahUg/J7F2llfSXSLn+0j0JxZ0fp1DTlEnI/Jzr3x5bsP2eRppj0jflBPvU+qJwT7EFnq2a1Tz4OWKxzn2jIzAhMAsGA1UdDwQEAwIABDASBgNVHRMBAf8ECDAGAQH/AgEBMAoGCCqGSM49BAMCA0cAMEQCIFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KbDtANfAiB0rxBRLP1e7vZtzjJsLP6njjO6qWoArXRuTV2nDO3S9g==  
    -----END CERTIFICATE-----
    Enter the Validation Code (Press enter when finished):
  2. Copy the contents from “-----BEGIN CERTIFICATE-----“ to “-----END CERTIFICATE-----“ and store it in a file called root.pem.
  3. In order to generate the leaf device certificate, we need to get the validation code for the root certificate and supply the same to the currently running enrollment application.
    1. Go to the Device Provisioning Service, choose “Certificates”, and click “Add”. Provide the Certificate Name as “root” and upload the root.pem file.
    2. On clicking “Save”, the status will be “Unverified”.
    3. The certificate needs to be verified. Click the certificate name and then click “Generate Verification code” to generate the validation code.

    4. Copy the code and provide the same as the validation code to the enrollment application. Then copy the generated leaf certificate and save it in a file named leaf.pem.

      Enter the Validation Code (Press enter when finished): F7C61676413D37CC0B84872AC0AAD9DBBBC63946C4545ED4

      Leaf Certificate:
       -----BEGIN CERTIFICATE-----
      MIIBpTCCAUugAwIBAgIFXk08KxowCgYIKoZIzj0EAwIwNDESMBAGA1UEAwwJcmlvdC1yb290MQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwHhcNMTcwMTAxMDAwMDAwWhcNMzcwMTAxMDAwMDAwWjBbMTkwNwYDVQQDDDA3RkQ0QzM2QUVEMUZBOTc3ODEyMkZFMUMzRjFDQkQ5RjJDQjBGMDVDQUU0NjhCMTExCzAJBgNVBAYMAlVTMREwDwYDVQQKDAhNU1JfVEVTVDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAAAVc1h96EwAAAAAAAAAAAAAFXNYfel4AAAVc1h96LgAAAAAFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KajIzAhMAsGA1UdDwQEAwIABDASBgNVHRMBAf8ECDAGAQH/AgEBMAoGCCqGSM49BAMCA0gAMEUCIFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KbDtANfAiEA9UUlejC6qiDCZ5qi7d8m/Dr0d5U2o14cRYE2yFfBoj0=  
       -----END CERTIFICATE-----
      
      Press any key to continue:
  4. Upload the leaf.pem file under “Verification certificate” to update the status as “Verified”
  5. Once the root certificate is verified, the same needs to be listed in the Group enrollment in the Device Provisioning Service.
    1. Go to “Manage enrollments” and click on “Add Enrollment Group”.
    2. Provide a name for the group and select the verified certificate as the primary certificate. Click on “Save”.

Security Credentials

You can now click on the device created to gain access to the security credentials. Keep the key and connection strings available for reference so that you can install the credentials on your ARTIK board in the upcoming tutorial.

Last updated on: