How to use X.509 certificates over HTTPS without an SDK
Artikel
In this how-to article, you'll provision a device using x.509 certificates over HTTPS without using an Azure IoT DPS device SDK. Most languages provide libraries to send HTTP requests, but, rather than focus on a specific language, in this article, you'll use the cURL command-line tool to send and receive over HTTPS.
You can follow the steps in this article on either a Linux or a Windows machine. If you're running on Windows Subsystem for Linux (WSL) or running on a Linux machine, you can enter all commands on your local system in a Bash prompt. If you're running on Windows, enter all commands on your local system in a GitBash prompt.
There are multiple paths through this article depending on the type of enrollment entry and X.509 certificate(s) you choose to use. After installing the prerequisites, be sure to read the Overview before proceeding.
Prerequisites
If you don't have an Azure subscription, create a free account before you begin.
Make sure you have Python 3.7 or later installed on your machine. You can check your version of Python by running python --version or python3 --version.
If you're running in Windows, install the latest version of Git. Make sure that Git is added to the environment variables accessible to the command window. See Software Freedom Conservancy's Git client tools for the latest version of git tools to install, which includes Git Bash, the command-line app that you can use to interact with your local Git repository. On Windows, you'll enter all commands on your local system in a GitBash prompt.
Azure CLI. You have two options for running Azure CLI commands in this article:
Use the Azure Cloud Shell, an interactive shell that runs CLI commands in your browser. This option is recommended because you don't need to install anything. If you're using Cloud Shell for the first time, sign in to the Azure portal. Follow the steps in Cloud Shell quickstart to Start Cloud Shell and Select the Bash environment.
Optionally, run Azure CLI on your local machine. If Azure CLI is already installed, run az upgrade to upgrade the CLI and extensions to the current version. To install Azure CLI, see Install Azure CLI.
If you're running in a Linux or a WSL environment, open a Bash prompt to run commands locally. If you're running in a Windows environment, open a GitBash prompt.
Overview
There are three scenarios covered in this article and the initial steps you'll perform will be different for each. If you want to:
Provision through an individual enrollment using a self-signed certificate, follow the steps in these sections:
For this article, you'll use an X.509 certificate to authenticate with DPS using either an individual enrollment or an enrollment group.
If you're using an individual enrollment, you can use a self-signed X.509 certificate or a certificate chain composed of the device certificate plus one or more signing certificates. If you're using an enrollment group, you must use a certificate chain.
Vigtigt
For X.509 enrollment authentication, the subject common name (CN) of the device certificate is used as the registration ID for the device. The registration ID is a case-insensitive string of alphanumeric characters plus the special characters: '-', '.', '_', ':'. The last character must be alphanumeric or dash ('-'). DPS supports registration IDs up to 128 characters long; however, the subject common name of an X.509 certificate is limited to 64 characters. If you change the subject common name for your device certificate in the following steps, make sure it adheres to this format.
Use a self-signed certificate
To create a self-signed certificate to use with an individual enrollment, navigate to a directory where you want to create your certificate and follow these steps:
When asked to Enter PEM pass phrase:, use the pass phrase 1234.
When asked Verifying - Enter PEM pass phrase:, use the pass phrase 1234 again.
A public key certificate file (device-cert.pem) and private key file (device-key.pem) should now be generated in the directory where you ran the openssl command.
The certificate file has its subject common name (CN) set to my-x509-device.
The private key file is protected by the pass phrase: 1234.
The certificate file is Base64 encoded. To view the subject common name (CN) and other properties of the certificate file, enter the following command:
If you're using an enrollment group, you must authenticate with a certificate chain. With an individual enrollment, you can use a certificate chain or a self-signed certificate.
To create a certificate chain, follow the instructions in Create an X.509 certificate chain. You only need one device for this article, so you can stop after creating the private key and certificate chain for the first device.
When you're finished, you should have the following files:
Certificate
File
Description
root CA certificate.
certs/azure-iot-test-only.root.ca.cert.pem
Will be uploaded to DPS and verified.
intermediate CA certificate
certs/azure-iot-test-only.intermediate.cert.pem
Will be used to create an enrollment group in DPS.
device-01 private key
private/device-01.key.pem
Used by the device to verify ownership of the device certificate during authentication with DPS.
device-01 certificate
certs/device-01.cert.pem
Used to create individual enrollment entry with DPS.
device-01 full chain certificate
certs/device-01-full-chain.cert.pem
Presented by the device to authenticate and register with DPS.
The following command creates an individual enrollment entry with the default allocation policy for your DPS instance using the device certificate you specify.
az iot dps enrollment create -g {resource_group_name} --dps-name {dps_name} --enrollment-id {enrollment_id} --attestation-type x509 --certificate-path {path to your certificate}
Substitute the name of your resource group and DPS instance.
The enrollment ID is the registration ID for your device and, for X.509 enrollments, must match the subject common name (CN) of the device certificate.
If you followed the instructions in Use a certificate chain, the filename is certs/device-01.cert.pem.
Bemærk
If you're using Cloud Shell to run Azure CLI commands, you can use the upload button to upload your certificate file to your cloud drive before you run the command.
Substitute the name of your resource group and DPS instance.
The enrollment ID is a case-insensitive string of alphanumeric characters plus the special characters: '-', '.', '_', ':'. The last character must be alphanumeric or dash ('-'). It can be any name you choose to use for the enrollment group.
The certificate path is the path to your intermediate certificate. If you followed the instructions in Use a certificate chain, the filename is certs/azure-iot-test-only.intermediate.cert.pem.
Bemærk
If you're using Cloud Shell to run Azure CLI commands, you can use the upload button to upload your certificate file to your cloud drive before you run the command.
Bemærk
If you prefer, you can create an enrollment group based on a signing certificate that has been previously uploaded and verified with DPS (see next section). To do so, you specify the certificate name with the --ca-name and omit the --certificate-path parameter in the az iot dps enrollment-group create command.
Upload and verify a signing certificate
If you're using a certificate chain for either an individual enrollment or an enrollment group, you must upload and verify at least one certificate in the device certificate's signing chain to DPS.
For an individual enrollment, this can be any signing certificate in the device's certificate chain.
For an enrollment group, this can be the certificate set on the enrollment group or any certificate in its signing chain up to and including the root CA certificate.
Substitute the name of your resource group and DPS instance.
The certificate path is the path to your signing certificate. For this article, we recommend you upload the root CA certificate. If you followed the instructions in Use a certificate chain, the filename is certs/azure-iot-test-only.root.ca.cert.pem.
The certificate name can contain only alphanumeric characters or the following special characters: -._. No whitespace is permitted. For example, "azure-iot-test-only-root".
Bemærk
If you're using Cloud Shell to run Azure CLI commands, you can use the upload button to upload your certificate file to your cloud drive before you run the command.
Bemærk
The steps in this section automatically verified the certificate on upload. You can also do manual verification of the certificate. To learn more, see Manual verification of intermediate or root CA.
Register your device
You call the Register Device REST API to provision your device through DPS.
–i tells curl to include protocol headers in output. These headers aren't strictly necessary, but they can be useful.
-X PUT tells curl that this is an HTTP PUT command. Required for this API call.
--cert [path_to_your_device_cert] tells curl where to find your device's X.509 certificate. If your device private key is protected by a pass phrase, you can add the pass phrase after the certificate path preceded by a colon, for example: --cert my-device.pem:1234.
If you're using a self-signed certificate, your device certificate file will only contain a single X.509 certificate. If you followed the instructions in Use a self-signed-certificate, the filename is device-cert.pem and the private key pass phrase is 1234, so use --cert device-cert.pem:1234.
If you're using a certificate chain, for example, when authenticating through an enrollment group, your device certificate file must contain a valid certificate chain. The certificate chain must include the device certificate and any signing certificates up to and including a verified certificate. If you followed the instructions in Use a certificate chain to create the certificate chain, the filepath is certs/device-01-full-chain.cert.pem, so use --cert certs/device-01-full-chain.cert.pem.
--key [path_to_your_device_private_key] tells curl where to find your device's private key.
If you followed the instructions in Use a self-signed-certificate, the filename is device-key.pem, so use --key device-cert.pem:1234.
If you followed the instructions in Use a certificate chain, the key path is certs/device-01-full-chain.cert.pem, so use --cert certs/device-01-full-chain.cert.pem.
-H 'Content-Type: application/json' tells DPS we're posting JSON content and must be 'application/json'
-H 'Content-Encoding: utf-8' tells DPS the encoding we're using for our message body. Set to the proper value for your OS/client; however, it's generally utf-8.
-d '{"registrationId": "[registration_id]"}', the –d parameter is the 'data' or body of the message we're posting. It must be JSON, in the form of '{"registrationId":"[registration_id"}'. Note that for curl, it's wrapped in single quotes; otherwise, you need to escape the double quotes in the JSON. For X.509 enrollment, the registration ID is the subject common name (CN) of your device certificate.
Finally, the last parameter is the URL to post to. For "regular" (i.e not on-premises) DPS, the global DPS endpoint, global.azure-devices-provisioning.net is used: https://global.azure-devices-provisioning.net/[dps_id_scope]/registrations/[registration_id]/register?api-version=2019-03-31. Note that you have to replace [dps_scope_id] and [registration_id] with the appropriate values.
The response contains an operation ID and a status. In this case, the status is set to assigning. DPS enrollment is, potentially, a long-running operation, so it's done asynchronously. Typically, you'll poll for status using the Operation Status Lookup REST API to determine when your device has been assigned or whether a failure has occurred.
The valid status values for DPS are:
assigned: the return value from the status call will indicate what IoT Hub the device was assigned to.
assigning: the operation is still running.
disabled: the enrollment record is disabled in DPS, so the device can't be assigned.
failed: the assignment failed. There will be an errorCode and errorMessage returned in an registrationState record in the response to indicate what failed.
unassigned
To call the Operation Status Lookup API, use the following curl command:
You'll use the same ID scope, registration ID, and certificate and key as you did in the Register Device request. Use the operation ID that was returned in the Register Device response.
For example, the following command is for the self-signed certificate created in Use a self-signed certificate. (You need to modify the ID scope and operation ID.)
The following output shows the response for a device that has been successfully assigned. Notice that the status property is assigned and that the registrationState.assignedHub property is set to the IoT hub where the device was provisioned.
-X POST tells curl that this is an HTTP POST command. Required for this API call.
--cert [path_to_your_device_cert] tells curl where to find your device's X.509 certificate. If your device private key is protected by a pass phrase, you can add the pass phrase after the certificate path preceded by a colon, for example: --cert my-device.pem:1234.
If you're using a self-signed certificate, your device certificate file will only contain a single X.509 certificate. If you followed the instructions in Use a self-signed-certificate, the filename is device-cert.pem and the private key pass phrase is 1234, so use --cert device-cert.pem:1234.
If you're using a certificate chain, your device certificate file must contain a valid certificate chain. If you followed the instructions in Use a certificate chain to create the certificate chain, the filepath is certs/device-01-full-chain.cert.pem, so use --cert certs/device-01-full-chain.cert.pem.
--key [path_to_your_device_private_key] tells curl where to find your device's private key.
If you followed the instructions in Use a self-signed-certificate, the filename is device-key.pem, so use --key device-cert.pem:1234.
If you followed the instructions in Use a certificate chain, the key path is certs/device-01-full-chain.cert.pem, so use --cert certs/device-01-full-chain.cert.pem.
-H 'Content-Type: application/json' tells IoT Hub we're posting JSON content and must be 'application/json'.
-H 'Content-Encoding: utf-8' tells IoT Hub the encoding we're using for our message body. Set to the proper value for your OS/client; however, it's generally utf-8.
-d '{"temperature": 30}', the –d parameter is the 'data' or body of the message we're posting. For this article, we're posting a single temperature data point. The content type was specified as application/json, so, for this request, the body is JSON. Note that for curl, it's wrapped in single quotes; otherwise, you need to escape the double quotes in the JSON.
The last parameter is the URL to post to. For the Send Device Event API, the URL is: https://[assigned_iot_hub_name].azure-devices.net/devices/[device_id]/messages/events?api-version=2020-03-13.
Replace [assigned_iot_hub_name] with the name of the IoT hub that your device was assigned to.
Replace [device_id] with the device ID that was assigned when you registered your device. For devices that provision through enrollment groups the device ID will be the registration ID. For individual enrollments, you can, optionally, specify a device ID that is different than the registration ID in the enrollment entry.
Create code that authenticates with Azure IoT Hub Device Provisioning Service (DPS) using X.509 certificates, generates telemetry and accesses device twin properties. Use X.509 certificates to implement group enrollments, and deprovision enrollments groups and individual devices from an enrollment group.