Create client certificates starting from CA X.509

Andrea Previtali 106 Reputation points

Hello everyone.

I feel like a bit of a noob but I can't understand one thing.

In the past few months I have been running a lot of tests taking advantage of this guide:

So I created my CA certificate, uploaded it to IoT Hub and then, still following the tutorial I created client certificates for the devices connected to IoT Hub (several dozen).

So far so good, everything is working correctly.

Now, as the tutorial also suggests, I would like to purchase an X.509 CA certificate from a professional certificate service provider, I would also have already decided from whom to purchase.

I purchase the certificate, upload it to IoT Hub, verify it, etc.

But then how do I create the client certificates for the devices?

Is the precedure the same as given in the tutorial?

I usually did it like this: 

openssl ca -config subca.conf -in {device_name}.csr -out {device_name}.crt \

  -extensions client_ext

but as you can see there is a reference to subca.conf.

I believe that by purchasing a certificate I will not be provided with a .conf file to refer to, is that correct? Or they do?

Is there another way to create client certificates?Thanks you all

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,113 questions
{count} votes

1 answer

Sort by: Most helpful
  1. LeelaRajeshSayana-MSFT 13,456 Reputation points

    Hi @Andrea Previtali Just wanted to check if you have looked into the article Authenticate identities with X.509 certificates.

    This article describes how to use X.509 certificate authority (CA) certificates to authenticate devices connecting to IoT Hub, which includes the following steps:

    • How to get an X.509 CA certificate
    • How to register the X.509 CA certificate to IoT Hub
    • How to sign devices using X.509 CA certificates
    • How devices signed with X.509 CA are authenticated

    The article refers using Bash commands to generate leaf certificates which can be used in the link - IoT Leaf device certificates

    Kindly go through the article and let us know if you have any issues or need further clarification.

    If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.