DPS enrollment to IoTHub with Self-Signed vs. CA certificates

Question

DPS enrollment to IoTHub with Self-Signed vs. CA certificates

Abby Greentree 171

I am using DPS group enrollment to register new devices to an IoTHub. I am testing this process using self-signed certificates, however in the production environment - I am planning to use a true Certificate Authority.

I register new devices with the certificate chain (device, intermediate, and root). I also have the root certificate uploaded to the IoTHub and verified. When a new device is registered it appears in the IoTHub with the Authentication Type 'Self-Signed X509 Certificate'. I am using the 'create_from_x509_certificate' method of the 'ProvisioningDeviceClient' class provided in the az-iot-sdk-python repository.

My question is: When I complete the same process in the future with a true Certificate Authority - will the devices register with the 'X509 CA Signed' Authentication Type instead? That is preferred for my use case as I'd like to ensure that devices attempting to connect are using a leaf certificate issue by the Root Certificate that I have uploaded to the IoTHub - to additionally validate they are a known device.

Thank you in advance for your assistance.

LeelaRajeshSayana-MSFT 17,771 Reputation points Moderator

2022-12-21T21:29:18.643+00:00

Hi @Abby Greentree , Greetings! I am following up to check if the response below has helped you with addressing the issue you face.

----------

Kindly accept answer or upvote if the response is helpful so that it would benefit other community members facing the same issue. Original posters help the community find answers faster by identifying the correct answer. Here is how. I highly appreciate your contribution to the community.

Accepted answer

0 additional answers

Your answer

LeelaRajeshSayana-MSFT 17,771 Reputation points Moderator

2022-12-21T21:29:18.643+00:00

Hi @Abby Greentree , Greetings! I am following up to check if the response below has helped you with addressing the issue you face.

----------

Kindly accept answer or upvote if the response is helpful so that it would benefit other community members facing the same issue. Original posters help the community find answers faster by identifying the correct answer. Here is how. I highly appreciate your contribution to the community.

Answer 1

LeelaRajeshSayana-MSFT 17,771 Moderator

Hi @Abby Greentree ,

Greetings! Welcome to Microsoft Q&A forum! Thank you for posting the question here.

Once you get a valid certificate from a trusted Certified Authority, the authentication for the devices will display as 'X509 CA Signed' instead of 'Self-Signed X509 Certificate'. Please refer this resource X.509 certificate attestation gives an overview of the Device Provisioning Service (DPS) concepts involved when provisioning devices using X.509 certificate attestation. The article mentions that self-signed root certificate will be terminated after providing a valid X.509 certificate.

Here is another article that will guide on Authenticate devices using X.509 CA certificates.

Hope this information answers the questions you have. Please let us know if you need any further clarification on this issue.

----------

Kindly accept answer or upvote if the response is helpful so that it would benefit other community members facing the same issue. I highly appreciate your contribution to the community.

Evandro Pomatti 11 Reputation points

2023-04-15T18:47:53.77+00:00
Hi @LeelaRajeshSayana-MSFT , could you elaborate a little more?

Reading the documents I couldn't find a explicit reason why this would happen.

For example, according to this documentation, "Self-Signed" means that the device was registered with a thumbprint. "CA-Signed" means the device was checked with a root CA uploaded to IoT Hub, which is exactly the scenario that OP described. There is no mention of an intermediate CA verified by an external (public) root CA.

X.509 self-signed authentication: Sometimes called thumbprint authentication, because you share the thumbprint from the device's X.509 certificate with IoT Hub.

X.509 CA-signed authentication: Upload the root CA certificate to IoT Hub. When devices present their X.509 certificate for authentication, IoT Hub checks that it belongs to a chain of trust signed by the same root CA certificate.

Down in the same document, this is how X.509 CA-signed authentication is described:

X.509 CA-signed authentication For X.509 certificate authority (CA) signed authentication, you need a root CA certificate registered in IoT Hub that you use to sign certificates for your downstream device. Any device using a certificate that was issues by the root CA certificate or any of its intermediate certificates will be permitted to authenticate.

Again there is no mention of the requirement of an external root CA that you described.

Devices should be marked as "CA-signed" if the root CA is verified in IoT Hub.

Share via

DPS enrollment to IoTHub with Self-Signed vs. CA certificates

0 additional answers

Your answer