Azure IoT Hub Certificate

Question

I'm trying to publish some data on the Azure IoT hub using Mqtt. I've succesfully published some data, using a SAS token.

But my customer wants a x509 self generated & self signed certificate. Azure is supporting this, but doesn't give much information about it. ( https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#supported-x509-certificates )

A self-generated and self-signed X-509 certificate. A device manufacturer or in-house deployer can generate these certificates and store the corresponding private key (and certificate) on the device. You can use tools such as OpenSSL and Windows SelfSignedCertificate utility for this purpose.

Note IoT Hub does not require or store the entire X.509 certificate, only the thumbprint.

What I've done is created a CA certificate and key.

$openssl req -newkey rsa:2048 -x509 -nodes -sha256 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt

Created a client key and signing request

$openssl genrsa -out client.key 2048

$openssl req -new -sha256 -out client.csr -key client.key

Signed the request and created the certificate

$openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.srl -out client.crt -days 365

I've uploaded the client key and certificate to the modem. And inserted the thumbprint of the client certificate.

My modem can succesfully connect to myhub.azure-devices.net/deviceId (port 8883) But when new data arrives it can't decode it.

I'm kinda stuck from this point on. I've tried to use MqttFx, but with no luck.

Can someone push me into the right direction here?

Answer 1

I've fixed this problem:

The configured CA certificate must be the azure certificate: CA Root Certificate Azure SDK . I've used the Baltimore root certificate.

The client certificate and key are correct. The SHA1 thumbprint of the client certificate must be communicated to the Azure IoT hub.

I've used Paho as Mqtt client.

Finally I've had a modem error on connecting to the server. The time inside the modem was still at default (1-1-2004) apparently, and the modem checks the time of the certificate with the current time (1-1-2004), which was invalid, so no connection could be made.

Answer 2

For those of you wanting to use the Azure IoT C# SDK, I've created a C#-based code sample that shows you how to associate OpenSSL self-signed and self-generated X509 certs with a device registered in Azure IoT Hub, and then use the certs (primary or secondary) in subsequent runtime operations - specifically sending a telemetry message.

You can choose to use either MQTT or HTTPS as your transport layer.

https://github.com/tamhinsf/SimpleAzureIoTCerts/