Implementing chain of trust in Device Provisioning Sevice

Lukas 6 Reputation points
2022-09-02T11:55:25.58+00:00

Hi,

I'm currently looking to implementing a chain of trust in DPS. I want to investigate how to block all certificates below a certain certificate.

I created the following chain:

Root CA -> Intermediate 1 -> Intermediate 2 -> leaf (device).

I uploaded and verified the Root CA in DPS and created enrollments for the root, Intermediate 1 and Intermediate 2. I uploaded the intermediates when creating the enrollments. My device registers itself with a leaf of Intermediate 2 and provides the full chain of trust. It will register just fine when the enrollment intermediate 2 is allowed and it is blocked when intermediate 2 is disabled. It will also register just fine when I delete the enrollment for intermediate 2. It will use the device twin state of enrollment 1 at that point. I delete the record in the IoT Hub in between each attempt.

My question arises when I enable the enrollment for intermediate 2 but disable the enrollment for intermediate 1. I expect the DPS to look for the known certificates in the chain and block if the certificate of a device is 'below' a disabled enrollment, but the device will still be provisioned in my case:

Root CA -> Intermediate 1 -> device (with leaf of intermediate 2) is provisioned.
Root CA -> Intermediate 1 -> Intermediate 2 (DISABLED) -> device is not provisioned.
Root CA -> Intermediate 1 (DISABLED) -> Intermediate 2 -> device is provisioned.

Is this expected behavior or am I missing something?

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,124 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. QuantumCache 20,031 Reputation points
    2022-09-03T01:26:42.517+00:00

    Hello @Lukas , Thanks for posting this query on this forum,

    Please refer to these below documents and do let us know if you have further queries and we would be happy to help with Azure IoT Devices and x509 certificates.

    If you delete an enrollment group for a certificate, devices that have the certificate in their certificate chain might still be able to enroll if an enabled enrollment group for the root certificate or another intermediate certificate higher up in their certificate chain exists.

    Select Disable on the Enable entry switch, and then select Save.
    237385-image.png

    Select Delete at the top of the window, and then select Yes to confirm that you want to remove the enrollment group.
    237425-image.png

    Disallow devices by using an individual enrollment entry

    Disallow an X.509 intermediate or root CA certificate by using an enrollment group