Share via

can a self-signed certificate be used to connect to device provisioning service via MQTT?

Mauricio Vanegas 20 Reputation points
2023-12-27T18:37:33.78+00:00

Dear community,

I have been struggling recently trying to implement a device provisioning service (DPS) for our IoT solution. Our devices can connect and send telemetry to our IoT hubs with no problem. We have decided to use the device provisioning service instead of assigning IoT hubs directly for every device. In the process, we are using the same self-signed certificates used in our IoTHUBs for the enrollment in the DPS. The problem is that the MQTT connection fails with no response when the devices try to establish the secure connection with the DPS.

I have tried different things and I ran out of ideas so, I have some questions which answers can help me to figure the problem out - at least I hope.

  1. Can a self-signed certificate be used as a leaf certificate for the DPS? Our devices use the ECC608 chip and we consider a valid option to secure our infrastructure.
  2. Is there any difference in the authentication process between IoT HUB and DPS? I would expect that devices able to connect to the IoT HUB via MQTT can also connect to DPS if proper string connections are provided.

Some details about our devices firmware

  • It uses BearSSL library.
  • It uses coreMQTT library.
  • It uses FreeRTOS.
  • Every device integrates a ECC608 module.

Thank you in advance for your help.

Regards,

Mauricio

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,274 questions
0 comments
Accepted answer
  1. AshokPeddakotla-MSFT 35,971 Reputation points Moderator
    2023-12-28T12:02:57.1966667+00:00

    Mauricio Vanegas Greetings!

    Can a self-signed certificate be used as a leaf certificate for the DPS? Our devices use the ECC608 chip and we consider a valid option to secure our infrastructure.

    Yes, You can use self-signed certificates or bring your own certificates. If you use self-signed certificates, when your device is initially configured, self-signed certificates are automatically generated. See Create a self-signed certificate for more details.

    Is there any difference in the authentication process between IoT HUB and DPS? I would expect that devices able to connect to the IoT HUB via MQTT can also connect to DPS if proper string connections are provided.

    Yes, there is a difference in the authentication process between IoT Hub and DPS.

    IoT Hub uses symmetric key or X.509 certificate authentication to authenticate devices. When using X.509 certificate authentication, each device's authentication information is provided in the form of thumbprints taken from your device identity certificates. These thumbprints are given to IoT Hub at the time of device registration so that the service can recognize the device when it connects.

    DPS uses X.509 certificate authentication to authenticate devices. When using X.509 certificate authentication, each device's authentication information is provided in the form of a certificate signed by a trusted root certificate. The device certificate must have the subject name set to the device ID that was used when registering the IoT device in Azure IoT Hub. This setting is required for authentication.

    I hope this helps! Let us know if you have any other questions.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.