X.509 client certificate TLS mutual authentication with Azure service
Question
I am new to the TLS/HTTPS certificate process. Our use case is the embedded device (yocto based) needs to have client certificate for mutual TLS authentication and access Azure services. Question is if this authentication (TLS handshaking) logic is done in the TLS module of yocto recipe? We use REST APIs to access Azure service. Or it needs to be done manually because we don't use Azure IoT Hub client APIs?
2nd question is how the purchased client certificate writes into the device? If it is done in factory, how does factory SW knows where to write to? And if we want to rotate certificate, there is no factory there to use after device is at customer side. What if we have hardware secure module (HSM), how do we roll the new cert? Writing the certificate can be done without factory SW?
1 answers
solution1
1 2020-12-01 08:05:35
I am new to the TLS/HTTPS certificate process. Our use case is the embedded device (yocto based) needs to have client certificate for mutual TLS authentication and access Azure services. Question is if this authentication (TLS handshaking) logic is done in the TLS module of yocto recipe? We use REST APIs to access Azure service. Or it needs to be done manually because we don't use Azure IoT Hub client APIs?
Using the Azure SDK makes your life easier. If you are using Azure REST API's the flow will be similar to Azure sdk usage but this time you need to do the heavy lifting. There are API's for each and every Azure service and you need to go through the same authentication, registration flow through REST API's too. For example, here is the api to upload certificates to IoT HUB.
2nd question is how the purchased client certificate writes into the device? If it is done in factory, how does factory SW knows where to write to?
Here is a link for rolling X509 certificates in various scenarios. I hope this will answer some of your questions related to rolling the certs.
You can install the certificate as part of your production process. The simplest approach is to install the certificate in the HSM at the same time that you flash the initial firmware image. Your process must add a step to install the image on each device. After this step, you can run final quality checks and any other steps, before you package and ship the device. Refer this link .
Below are some factors that decide where the certificate can be installed:-
This depends on the type of device you're building, the expected device margins (whether you can afford secure storage), the device's capabilities, and existing security technology on the device that may be leveraged. Your options are:
- In a hardware security module (HSM) (recommended.). Check whether your device's control board already has an HSM installed. I've talked to a couple customers who were surprised to find they had an HSM already installed in their devices that they just weren't using, If you know you don't have an HSM. work with your hardware manufacturer to identify an HSM that meets your needs.
- In a secure place on disk such as a trusted execution environment (TEE).
- Local file system or cert store, eg the Windows certificate store.
- Other
And if we want to rotate certificate, there is no factory there to use after device is at customer side.
It basically depends on how the certs were initially installed on the device, the same flow can be used to renew the certs and installing them again. Check this link .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.