Is it possible to manually renew the Edge CA certificates?

Haeussler Siegfried 0 Reputation points
2024-06-17T14:41:37.76+00:00

Is it possible to log into an Azure IoT Edge via SSH and then trigger the renewal of the Edge CA certificates manually? I found this post for manually renewing the device identity certificate: #5787 (comment) The question comes from the following GitHub issue: https://github.com/Azure/iotedge/issues/7303

Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
557 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sander van de Velde | MVP 30,711 Reputation points MVP
    2024-06-17T17:14:35.68+00:00

    Hello @Haeussler Siegfried ,

    welcome to this moderated Azure community forum.

    Azure IoT Edge gives you full control over all docker containers part of the Azure IoT Edge deployment manifest.

    Azure IoT Edge has no mechanism for connecting with the underlying operating system.

    Microsoft provides a separate solution named OSConfig. This is a separate tool living on the edge device, making use of the Azure IoT Edge credentials for a secure cloud connection.

    You are free to use SSH to connect to your device but be aware you probably open this outbound port 22 so your edge device can be attacked from the outside world.

    An alternative is using auto ssh. This creates an outbound tunnel to some endpoint in the cloud. Create a VM running in Azure accepting inbound SSH calls only from your edge devices (eg. using an IP filter). This VM should only accessible using an Entra ID so if your workers leave the company, your 'stepping stone' of 'jumpbox' is unavailable for them.

    An simple and more versatile alternative is enabling your edge device with Azure Arc. Using azure Arc, your edge device becomes part of the Azure Portal, with eg. SSH, updates, policies, etc.

    A complete example and walkthrough is seen here.


    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.