Hi, While adding a device in IoT Hub, we can choose whether the device is IoT Edge Device or not. When we select IoT Edge Device the authentication type only shows 2 Options - (Symmetric Key and X.509 Self Signed), but if we do not select IoT Edge Device the we see 3 Options - (Symmetric Key, X.509 Self Signed and X.509 CA Signed). I have limited knowledge about the authentication type, so wanted to confirm if we can use only Symmetric key or X.509 Self Signed Certificate if our device is IoT Edge Device, or X.509 CA Signed can also be used for the same?

Hello @Satyam Chauhan , When adding a new IoT device through the portal, you can only choose between Symmetric Key and X.509 Self-Signed certificate and providing the thumbprint. The X.509 CA authentication with IoT Edge is supported by IoT Edge Device Provisioning Service (DPS) with an enrollment group. In this case DPS will register your device in IoT Hub and set the corresponding thumbprint after it decides the device is legitimated to be registered. There is an example for provisioning a X.509 certificate simulated device what should be applicable to your IoT Edge devices and a CA signed certificate. To understand the concepts behind you can check concepts-x509-attestation ---------- Please don't forget to click on "best answer" or "upvote" button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer.

X.509 CA Signed certificate is not available in authentication type of IoT Edge Device

Accepted answer

chbeier 1,871 Reputation points

2022-12-21T15:24:38.05+00:00

Hello @Satyam Chauhan ,

When adding a new IoT device through the portal, you can only choose between Symmetric Key and X.509 Self-Signed certificate and providing the thumbprint.
The X.509 CA authentication with IoT Edge is supported by IoT Edge Device Provisioning Service (DPS) with an enrollment group. In this case DPS will register your device in IoT Hub and set the corresponding thumbprint after it decides the device is legitimated to be registered. There is an example for provisioning a X.509 certificate simulated device what should be applicable to your IoT Edge devices and a CA signed certificate. To understand the concepts behind you can check concepts-x509-attestation

----------

Please don't forget to click on "best answer" or "upvote" button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

1 person found this answer helpful.
Satyam Chauhan 547 Reputation points

2022-12-22T06:04:54.647+00:00

Hi @chbeier , thank you for answering.
In our case we have only 1 IoT Edge Device which is sending all the data and we cannot use DPS as well.
So if we are not using DPS, then only Symmetric Key and X.509 Self-Signed certificate can be used for IoT Edge device, please confirm it.

chbeier 1,871 Reputation points

2022-12-22T07:15:41.23+00:00

That's correct. You can find more details in the documentation Understand how Azure IoT Edge uses certificates

Satyam Chauhan 547 Reputation points

2022-12-22T10:52:11.157+00:00

Hello @chbeier ,
According to this article iot-hub-x509ca-overview ,it is recommended to use X.509 CA certificate for production environment.
So in our case we have open IoT network without DPS in production environment, then X.509 self signed certificate is recommended or not?

chbeier 1,871 Reputation points

2022-12-22T15:33:40.8+00:00

Hello @Satyam Chauhan ,

Thanks for pointing to this article and it's absolutely correct: if you plan a production environment you should purchase a X.509 CA certificate from a trusted public root certificate authority as your peers might not trust self-signed CAs and you would need to take care of exchanging them in a safe and trustworthy way.

For creating an IoT Edge device, the terminology "self-signed" is also misleading as you can also add the thumbprint of a certificate derived from a purchased X.509 CA certificate. This is the way DPS is doing it for an enrollment group, regardless if a self-sigend CA or a purchased one was used. A better term might be "X.509 Thumbprint validation".
The documentation on how IoT Hub verifies IoT Edge device identity explains how to retrieve the thumbprint via openssl from a X.509 certificate.

sudo openssl x509 -in /var/lib/aziot/certd/certs/deviceid-random.cer -noout -nocert -fingerprint -sha256

Mihuc, Teodora 0 Reputation points

2024-05-17T11:58:16.0366667+00:00

Is this information still true?

I am facing a similar issue, I can create an IoT Edge device in Azure IoT Hub from CLI having CA Authority authentication enabled.

But, when creating a group enrollment in DPS, using the same certificates, an edge device with self-signed certificate is provisioned, not with CA Authority authentication enabled.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

X.509 CA Signed certificate is not available in authentication type of IoT Edge Device

0 additional answers

Your answer