Proper configuration of Azure IoT Hub DPS group enrollment with x509
Question
I have quetion about proper configuration certificates in Auzre's IoT Hub. I want to use Device Provisioning Service with group enrollment. My goal is to reach following scenario: use CA root cert to generate some intermediate cert, then use this intermediate cert to sign device's cert. So, after reading documentation what I understand is following steps:
- Upload CA root certificate:
- Upload intermediate certificate in group enrollment configuration:
- Use device's cert in Java code to provision.
And this only works when I pass my intermediate cert in device's code (regardless of I choose CA or intermediate certificate in step 2):
private static final Collection<String> INTERMEDIATE_CERTS = new LinkedList<>();
...
SecurityProvider securityProviderX509 = new SecurityProviderX509Cert(privateCert, privateKey, INTERMEDIATE_CERTS);
provisioningDeviceClient = ProvisioningDeviceClient.create(globalEndpoint, idScope, PROVISIONING_DEVICE_CLIENT_TRANSPORT_PROTOCOL, securityProviderX509);
This code is from azure's github samples. What is the purpose of using intermediate certificate in device's code? Shouldn't it be validated based on chain of intermediate and root CA certs uploaded to Azure in previous steps?
1 answers
solution1
1 ACCPTED 2019-07-01 16:55:40
When you upload an intermediate certificate, the ONLY thing that is uploaded is the cert itself, not the entire chain from root to intermediate. The only thing that intermediate cert has is information about the cert that signed it, nothing more. There can be multiple intermediates in a chain, and we cannot make any assumptions about the intermediate chain when evaluating the device's cert chain.
The device needs to present its entire certificate chain for DPS to provision the device successfully. Without a full chain, it is impossible to determine whether or not a verified certificate is in the device's chain of trust.
We recommend using an intermediate cert to sign the device because the security best-practice is for roots to be kept offline.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.