生成生产 x509 证书
[英]Generate production x509 certificate
问题描述
Trying to implement TPM provisioning for edge devices through nodeJS.
尝试通过 nodeJS 为边缘设备实现 TPM 配置。 https://docs.microsoft.com/en-us/azure/iot-dps/quick-create-simulated-device-x509-node As mentioned able to generate a self-signed certificate for testing purposes. https://docs.microsoft.com/en-us/azure/iot-dps/quick-create-simulated-device-x509-node如前所述,能够生成用于测试目的的自签名证书。 Please help me with, How to generate and validate for the production environment.请帮助我,如何为生产环境生成和验证。 I am not much clear terminology-wise and looking for starting point to do RD.我在术语方面不太清楚,正在寻找做 RD 的起点。
Here is a sample code for self-signed certificate validation which is derived from azure-IoT-sdk node JS.以下是源自 azure-IoT-sdk 节点 JS 的自签名证书验证示例代码。
var deviceCert = {
cert: fs.readFileSync(process.env.CERTIFICATE_FILE).toString(),
key: fs.readFileSync(process.env.KEY_FILE).toString()
};
var transport = new Transport();
var securityClient = new X509Security(registrationId, deviceCert);
var deviceClient = ProvisioningDeviceClient.create(provisioningHost, idScope, transport, securityClient);
1 个解决方案
解决方案1
0 已采纳 2021-07-19 16:23:14
If you look at the source to create_test_cert.js You'll see that the parameters from the tutorial you are using create a self-signed cert.如果您查看create_test_cert.js的源代码,您将看到您正在使用的教程中的参数创建了一个自签名证书。 Additionally, the code uses Math.random instead of crypto.randomXXX .此外,代码使用Math.random而不是crypto.randomXXX 。 This is a red flag for me, but it could be nothing.这对我来说是一个危险信号,但它可能什么都不是。 The article says, "Self-signed certificates are for testing only, and should not be used in production."文章称,“自签名证书仅用于测试,不应用于生产。”
The topic of secure key management is too big to be covered in a stack-overflow answer but from a 50,000 foot view.安全密钥管理的话题太大,无法在堆栈溢出答案中涵盖,但从 50,000 英尺的角度来看。 You want to create a root CA.您想创建一个根 CA。 Most large companies keep these very secure on machines that are not connected to the network or in special hardware fobs.大多数大公司在未连接到网络或特殊硬件卡中的机器上保持这些非常安全。 From there you create one or more intermediate certs.从那里您创建一个或多个中间证书。 A common pattern is an intermediate cert off the root CA for each product, then an intermediate cert off the product cert for each factory that builds the devices.一个常见的模式是每个产品的根 CA 的中间证书,然后是构建设备的每个工厂的产品证书的中间证书。 From there, device certs are created from the intermediate factory certs.从那里,设备证书是从中间工厂证书创建的。 This way if a third party factory is compromised you can revoke it's cert and reissue without taking down the whole product or company.这样,如果第三方工厂受到损害,您可以撤销其证书并重新颁发,而无需关闭整个产品或公司。
The code for creating the root and intermediate certs is in the script.创建根证书和中间证书的代码在脚本中。 The only other thing you will want to do is use group enrollment to register the root CA or an intermediate CA with Device Provisioning Service.您唯一需要做的另一件事是使用组注册向设备配置服务注册根 CA 或中间 CA。 This way all device keys signed by a key that is registered or has a parent key that is registered with DPS can be provisioned.这样,所有由已注册的密钥或具有在 DPS 中注册的父密钥签名的设备密钥都可以提供。 The code for proof of possession needed for group enrollment is also in the script.团体注册所需的所有权证明代码也在脚本中。 I wrote a similar bash script a while back for the C version of the SDK that can be found here , in case that helps at all.不久前,我为 SDK 的 C 版本编写了一个类似的 bash 脚本,可以在此处找到,以防万一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.