DPS enrollment to IoTHub with Self-Signed vs. CA certificates

Abby Greentree 171 Reputation points
2022-12-16T16:10:24.463+00:00

I am using DPS group enrollment to register new devices to an IoTHub. I am testing this process using self-signed certificates, however in the production environment - I am planning to use a true Certificate Authority.

I register new devices with the certificate chain (device, intermediate, and root). I also have the root certificate uploaded to the IoTHub and verified. When a new device is registered it appears in the IoTHub with the Authentication Type 'Self-Signed X509 Certificate'. I am using the 'create_from_x509_certificate' method of the 'ProvisioningDeviceClient' class provided in the az-iot-sdk-python repository.

My question is: When I complete the same process in the future with a true Certificate Authority - will the devices register with the 'X509 CA Signed' Authentication Type instead? That is preferred for my use case as I'd like to ensure that devices attempting to connect are using a leaf certificate issue by the Root Certificate that I have uploaded to the IoTHub - to additionally validate they are a known device.

Thank you in advance for your assistance.

Azure IoT SDK
Azure IoT SDK
An Azure software development kit that facilitates building applications that connect to Azure IoT services.
228 questions
{count} votes

Accepted answer
  1. LeelaRajeshSayana-MSFT 17,771 Reputation points Moderator
    2022-12-16T22:09:56.06+00:00

    Hi @Abby Greentree ,

    Greetings! Welcome to Microsoft Q&A forum! Thank you for posting the question here.

    Once you get a valid certificate from a trusted Certified Authority, the authentication for the devices will display as 'X509 CA Signed' instead of 'Self-Signed X509 Certificate'. Please refer this resource X.509 certificate attestation gives an overview of the Device Provisioning Service (DPS) concepts involved when provisioning devices using X.509 certificate attestation. The article mentions that self-signed root certificate will be terminated after providing a valid X.509 certificate.

    271522-image.png

    Here is another article that will guide on Authenticate devices using X.509 CA certificates.

    Hope this information answers the questions you have. Please let us know if you need any further clarification on this issue.

    ----------

    Kindly accept answer or upvote if the response is helpful so that it would benefit other community members facing the same issue. I highly appreciate your contribution to the community.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.