DPS zero touch provisioning using X.509 certificate on Azure Sphere

Yusuke Tochigi 56 Reputation points
2020-10-20T05:50:49.777+00:00

I'd like to do zero-touch provisioning on DPS with Azure Sphere MT3620.
The certification type is "X.509" and I have my own root and leaf certificates.
I have learned following module and would like to take same step.
Automatically provision IoT devices securely and at scale with the Device Provisioning Service
I considered I could achieve my goal with following steps.

  1. Create self-signed root certificate
  2. Configure DPS to trust the root certificate
  3. Create leaf certificate
  4. Load the leaf certificate into Azure Sphere storage
  5. In the device code, specify which certification type would be used and try to connect DPS.

1st question is, is above my thought correct?

One problem which puzzling over is, how to load and use the leaf certificate on MT3620.
According to following how-to guide, should I use "CertStore_InstallClientCertificate" with Blob storage?

Manage certificates in high-level applications

What's next should I do? I guess "IoTHubDeviceClient_LL_CreateWithAzureSphereDeviceAuthProvisioning" must be called but,couldn't find how to specify the certification type.

https://github.com/Azure/azure-sphere-samples/blob/master/Samples/AzureIoT/main.c 

static bool SetUpAzureIoTHubClientWithDps(void)  
 {  
  
    AZURE_SPHERE_PROV_RETURN_VALUE provResult =  
            IoTHubDeviceClient_LL_CreateWithAzureSphereDeviceAuthProvisioning(scopeId, 10000,                                                                               &iothubClientHandle);  
        Log_Debug("IoTHubDeviceClient_LL_CreateWithAzureSphereDeviceAuthProvisioning returned '%s'.\n",  
                  GetAzureSphereProvisioningResultString(provResult));  
  
            if (provResult.result != AZURE_SPHERE_PROV_RESULT_OK) {  
  
        return false;  
     }  
        return true;      
}
Azure Sphere
Azure Sphere
An Azure internet of things security solution including hardware, operating system, and cloud components.
157 questions
Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,124 questions
Accepted answer
  1. António Sérgio Azevedo 7,666 Reputation points Microsoft Employee
    2020-11-02T23:47:28.553+00:00

    Hi @Yusuke Tochigi ,

    I have confirmed that you cannot bring your own X509 certificate to register with DPS.

    Azure Sphere service owns the generation and management of tenant CAs that are used for IoTHub, IoTCentral and DPS authentication. You cannot use your own root-ca for authenticating to the service.

    See also how to Configure tenant CA certificates for cloud services

    "A tenant CA certificate is issued by the Azure Sphere Security Service when a tenant is created. Each tenant CA certificate has a lifetime of two years and the start date and end date are captured in the certificate."

    Thank you so much for your time!

    Remember:

    • Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest