Isn't it a security risk to have root CA certificate and intermediate certificate to generate full chain certificate in DPS provisioning using X509 group attestation case?

Question

https://learn.microsoft.com/en-us/azure/iot-dps/tutorial-custom-hsm-enrollment-group-x509?tabs=linux&pivots=programming-language-ansi-c#create-the-device-certificates

Quoting from above link, "The device must present its full chain certificate when it registers with DPS."

As per my understanding, a full chain certificate requires root CA certificate, any intermediate certificates and a leaf certificate. This full chain certificate is needed to provision with DPS in group enrollment case.

Does this mean all these certificates have to present in the gateway when generating the full chain certificate? Is that not a security risk to keep all these certificates in gateway?

If this understanding is incorrect, then how will I generate the full chain certificate? What is the best practice? I would like to create a leaf certificate from intermediate certificate.

Answer 1

Hello @Arjun Sivasree ,

The same document also says:

The text for the certificates only contains public key information. However, the device must also have access to the private key for the device certificate.

So the device only has the cert chain (device-X full chain certificate) and its own private device-X (leave) key.

It also says the 'root CA certificate' is uploaded to the DPS. An 'intermediate CA certificate' will be used to create an enrollment group in DPS.

So, the private certificates are only there where they are needed to support the chain.

The best practice is creating all certificates needed on a separate trusted environment en distribute only those certificates needed.

---

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

Answer 2

Arjun Sivasree Did you get a chance to see Sander's suggestions? In addition, please see below information.

As per my understanding, a full chain certificate requires root CA certificate, any intermediate certificates and a leaf certificate. This full chain certificate is needed to provision with DPS in group enrollment case. Does this mean all these certificates have to present in the gateway when generating the full chain certificate? Is that not a security risk to keep all these certificates in gateway?

Yes, you are correct that a full chain certificate requires the root CA certificate, any intermediate certificates, and a leaf certificate.

The full chain certificate is needed to provision with DPS in group enrollment case. However, it is not necessary to keep all these certificates in the gateway when generating the full chain certificate.

The best practice is to keep the root CA certificate and any intermediate certificates in a secure location, such as a certificate store or a hardware security module (HSM), and only provide the leaf certificate to the gateway. You can generate the full chain certificate by concatenating the leaf certificate with the intermediate certificates and the root CA certificate.

Hardware Security Module (HSM) is used for secure, hardware-based storage of device secrets. An HSM can be used with symmetric key, X.509 certificate, or TPM attestation to provide secure storage for secrets. Hardware-based storage of device secrets isn't required, but it's strongly recommended to help protect sensitive information like your device certificate's private key.

Hope this helps. Do let us know if you need any further help.

---

If this answers your query, do click Accept Answer and Yes for this answer as helpful. And, if you have any further query do let us know by commenting in the below section, happy to help!