IoT Central - TLS Certificate Root Migration Issues for TPM Connected Devices

Andrew Batta 21

Will the root cert migration for IoT Hub/Provisioning services have an impact on devices connected via TPM to IoT Central?

We also use SAS API tokens in IoT Central. Will those need to be recreated?

1 answer

LeelaRajeshSayana-MSFT 13,466 Reputation points

2023-07-28T19:50:45.1733333+00:00
Hi @Andrew Batta Greetings! Thank you for posting this question here.

To answer your questions, No, changing the root certificate does not have any impact on the device connectivity that are authenticated using TPS or SAS token.

The TPM attestation method using a different form of authentication that does not involve the root certificate. It rather uses an Endorsement key (EK) and Storage Root Key (SRK) as means to authenticate and provision devices. These are different and independent from the root certificate used for attesting devices using the X.509 authentication method. Please find the below image showing details on how TPM attestation works in Azure IoT Hub

The SAS authentication as well does not use the X.509 root certificate.

For more details, please refer the following resources.

Programmatically create a Device Provisioning Service individual enrollment for TPM attestation

TPM attestation process

Device authentication concepts in IoT Central

Hope this helps. Please let us know if you have any additional questions.

If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.
Please sign in to rate this answer.
Andrew Batta 21 Reputation points

2023-07-28T19:57:55.3366667+00:00

Thank you for the information! We're seeing the below error when calling the CreateTpmDevice method from the C# SDK and I just wanted to make sure the cert change wasn't the cause.

Do you have an idea what could cause this?

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst,

LeelaRajeshSayana-MSFT 13,466 Reputation points

2023-07-28T20:18:57.4766667+00:00

Hi @Andrew Batta Thank you for your response. Can you share more details on the SDK you are using. If the sample code is from Microsoft SDK, can you share any references to the GitHub source code? I appreciate it if you can share these details to help us better understand this error and assist you further.

Andrew Batta 21 Reputation points

2023-07-28T20:24:36.0166667+00:00

Hi, sorry I actually made a mistake earlier and we're just calling the endpoint to create the device. Below is a link to the API docs.

https://learn.microsoft.com/en-us/rest/api/iotcentral/2022-07-31dataplane/devices/create?tabs=HTTP

Andrew Batta 21 Reputation points

2023-07-28T20:26:04.5666667+00:00

Hi, I made a mistake earlier and we're just calling the create device API. The link below points to the docs for the API we're using.

https://learn.microsoft.com/en-us/rest/api/iotcentral/2022-07-31dataplane/devices/create?tabs=HTTP

LeelaRajeshSayana-MSFT 13,466 Reputation points

2023-07-28T21:14:42.54+00:00

Hi @Andrew Batta thank you for sharing this additional information. The end point you are using is to create a new device on IoT Central. As I said in my response, the change in certificate should not impact the existing devices authenticated using TPM and SAS. However, inspecting the error returned, it indicates that the SSL SSL certificate presented by the server is not trusted by the client. Pleae look into the section I use IoT Central. Do I need to update my devices? that provides the steps needed to take if you upgrade the certificate.

I would also request you to look into the resource How to authenticate and authorize IoT Central REST API calls. The steps provided should help you how to test and use the IoT Central Rest API. Please let us know if you have validated this still face issues with the API.

LeelaRajeshSayana-MSFT 13,466 Reputation points

2023-07-31T22:10:41.0333333+00:00

Hi @Andrew Batta Greetings! I am following up to see if you got a chance to review the above response. Please let us know if you have any additional questions or need further assistance.

If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.
Sign in to comment