How do I generate a validation certificate from a purchased certificate (proof of possession)

Question

How do I generate a validation certificate from a purchased certificate (proof of possession)

Michael Giger 26

Hi

I was able to successfully create a self-signed certificate (using https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started).
Now I have bought a certificate from a root certificate authority (CA).
How must I sign the verification code from Azure IoT Hub with the private key associate with my purchased X.509 CA certificate?

Thanks for the clarification!
Michael

3 answers

Your answer

Answer 1

With the following steps I was able to create and validate a self-signed certificate.

Step 1. Generate 3 year X509 CA certificate with private key, see also: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started#register-x509-ca-certificates-to-your-iot-hub

openssl req -x509 -newkey rsa:4096 -days 1095 -keyout ca-key.pem -nodes -out ca-cert.pem

Country Name (2 letter code) [AU]:<your country>
State or Province Name (full name) [Some-State]:<your state>
Locality Name (eg, city) []:<your city>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<your organisation name>
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:<e.g.Root CA>
Email Address []:<your e-mail address>

Step 2. Upload ca-cert.pem to Azure (IoT Hub)
Step 3. Generate verification code in Azure
Step 4. Generate verification key

openssl genrsa -out verification.key 2048

Step 5. Generate verification certificate request

openssl req -new -key verification.key -out verification.csr

The same information as above, except the common name must be the verification code from Azure IoT Hub!

Step 6. Generate proof of possession certificate

openssl x509 -req -in verification.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out verificationCert.pem -days 1095 -sha256

Step 7. Upload verificationCert.pem to Azure (IoT Hub) and validate

Step 8. Generate device key

openssl genrsa -out <deviceID>-private.pem 2048

Replace <deviceID> with the device name from Azure IoT Hub, see also: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started#create-an-x509-device-for-your-iot-hub

Step 9. Generate device certificate request

openssl req -new -key <deviceID>-private.pem -out <deviceID>.csr

The same information as above, except the common name must be the device name from Azure IoT Hub!

Step 10. Generate public certificate

openssl pkcs12 -export -in <deviceID>-public.pem -inkey <deviceID>-private.pem -out <deviceID>.pfx

I hope it helps others...
Michael

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2020-11-30T10:51:38.873+00:00

@Michael Giger Thanks for sharing the steps. We will share your feedback with our internal teams to create/add doc enhancement for the guidance regarding purchased certificate. Do let us know if you have any further queries.

Answer 2

António Sérgio Azevedo 7,671 Microsoft Employee Moderator

Welcome to Microsoft Q&A @Michael Giger ,

The fact that you bought a certificate from root certificate authoriy doesn't mean that you won't be able to sign it. You would upload the intermediate certificate (sold to you by the CA) and verify that. In your IoTHub, devices' x509 certs will be generated by the indermediate certificate and able to connect to IoTHub.

See: Sign Devices into a Certificate Chain of Trust

You will possess and be able to verify the intermediate Cert. If you trusted the CA, any device belonging to the CA could connect to your IoTHub, which I believe is not what you are trying to achieve?

See also: Purchasing an X.509 CA certificate

Hope I could answer your great question :).

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Michael Giger 26 Reputation points

2020-11-17T12:35:42.227+00:00

Hi
Thank you for the explanations.

As I already wrote in my question, I don't understand how I do sign the verification code from Azure IoT Hub with my private key. What commands do I have to execute?

Regards Michael
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2020-11-17T13:08:53.337+00:00

Sorry I didn't understand your question right on first time @Michael Giger ,

You can use openssl and see how it is done in this SO Thread: https://stackoverflow.com/questions/50337042/how-to-generate-a-proof-of-possesion-for-a-x509-certificate-using-openssl

See also how the Proof of Possession process works: https://tools.ietf.org/html/rfc5280#section-3.1

I will update the answer with this comment if you can validate it answers your question.

Thank you!
Michael Giger 26 Reputation points

2020-11-18T14:15:42.733+00:00

Hi

I knew the stackoverflow post. Because I wanted to use my purchased root certificate, I skipped the first step and used the same settings from the purchased root certificate when generating the validation certificate. The Proof of Possession process always failed!

The instructions according to the Stackoverflow Post worked and I was able to successfully validate the certificate in the Azure IoT Hub with the self-generated root certificate. Thanks for the tip!

I'm currently still looking for the commands how to generate the device certificates (certificate and key). Can I create the device certificate in the same way as the validation certificate?

Thank you!
Regards Michael
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2020-11-18T18:48:10.633+00:00

Hi,
Please clarify if you could validate the proof of possision for the purchased root certificate as well? Sorry didn't understand if yes or no.

I'm currently still looking for the commands how to generate the device certificates (certificate and key). Can I create the device certificate in the same way as the validation certificate?

Take a look on how it is done using openssl here (are you on a windows or linux device?): https://github.com/Azure/azure-sdk-for-c/blob/master/sdk/samples/iot/README.md#create-a-device-using-x509-self-signed-certificate-authentication

*Note you will need to adapt some openssl commands as you are not using a self-signed cert.
Michael Giger 26 Reputation points

2020-11-19T12:57:58.29+00:00

Proof of possision for the purchased root certificate failed! I'm doing something wrong ...
It was successful with the self-signed cert.
Thanks for the link. I will try this.
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2020-11-20T14:31:59.907+00:00

@Michael Giger we may need to have you on a 1:1 call to better troubleshoot your issue. Let me know how it goes after looking at the link provided.

Thanks!
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2020-11-27T20:35:47.713+00:00

Hello @Michael Giger let us know if you were able to progress or how can we help you further?

Thank you so much!
Michael Giger 26 Reputation points

2020-11-28T08:22:10.357+00:00

Hi

I posted how it worked with a self signed certificate. At the moment this is enough. But I would be interested in how I could use the purchased certificate instead.
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2020-12-14T16:14:12.537+00:00

Hello @Michael Giger ,
Thank you so much for posting your answer below. I am sure that will definitely help others :).

I don't see any reason why your steps won't work for a purchased certificate. Did you face an error while doing it?

1) Instead of requesting a new x509 certificate openssl req -newkey you will need to set the context to the existing (purchased) certificate openssl req -key existingprivatekey.key

Pleaser mark your answer as the answer to the thread to help others finding the best content.

Thank you!

Answer 3

Daniel Maxwell 11

I have the same question and can see that it is NOT being answered in several forums.

The typical answer does not address how to prove possession of a purchase certificate, not a self-signed CA Root certificate from Comodo or Sectigo etc.

Do we need to purchase a new X.509 certificate using a custom CSR to go through the proof of possession process?

Where in the world is there a step by step process or example or video on how to provide proof of possession for a certificate that I did not self sign, that I purchased from a trusted root CA? Where?

The section titled: "GET X-509 CA Certificates" in particular is severely lacking in detail: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started#get-x509-ca-certificates

Daniel Maxwell 11 Reputation points

2021-01-13T16:45:59.087+00:00

I think I am going to post this as a question in another forum because I do not believe this will gain traction here, listed as an answer, and not refreshing the topic higher up.
QuantumCache 20,366 Reputation points Moderator

2021-01-13T16:49:08.567+00:00

Hello @Daniel Maxwell Sorry for the delay in responding.
QuantumCache 20,366 Reputation points Moderator

2021-01-13T16:49:53.547+00:00

Hello @Daniel Maxwell We are looking into this query. Please stay tuned!
QuantumCache 20,366 Reputation points Moderator

2021-01-13T16:57:39.463+00:00

Hello @Daniel Maxwell , Could you please let us know if you are going to use Azure IoT Hub Device Provisioning Service along with your purchased CA certificate?

The below document has scenario which might be useful with Azure IoT DPS :
How to do proof-of-possession for X.509 CA certificates with your Device Provisioning Service

Please comment in the below section to let us know your scenario in detail and we will make sure you get the right help until your query is addressed properly. Again sorry for the delay in responding.
Daniel Maxwell 11 Reputation points

2021-01-13T17:26:53.763+00:00
Hello, @QuantumCache , Thank you but no solution yet. Please continue your efforts.

Yes, we are using the SSL/TLS certificates section of the Azure Device Provisioning Service in Azure IoT. The problem is how to install and verify a purchased SSL/TLS certificate from a trusted Root CA. Microsoft Learn glosses over a purchased certificate and is only related to a self-signed SSL certificate. How to verify a purchased certificate?

The link you provided does NOT explain, even with links provided, how to prove possession of a purchased SSL certificate using the generated code in Azure IoT DPS certificates area.
Daniel Maxwell 11 Reputation points

2021-01-13T17:29:06.777+00:00

Additional reply to @QuantumCache

We spent money purchasing the certificates twice from DNSIMPLE / Comodo first letting them create the CSR and the second time creating our own CSR and uploading it in the purchase phase.

The purchased certificate bundle contains the Root (public key), two intermediate certificates (both public keys) and the server key (private key).

I have tried to modify both powershell and .sh examples but to no avail. I believe the problem is because I do not have authority to verify the certificate since I do not have the private key to the intermediate certificates in the chain. The examples in Microsoft Learn seem to indicate, by deduction, that verifying a root CA is only possibly with companies with millions of dollars to purchase their own intermediate CA certificates with private keys. Is this not correct?
QuantumCache 20,366 Reputation points Moderator

2021-01-13T17:33:56.963+00:00

Hello @Daniel Maxwell Thanks for the quick response!.

Could you please send an email to our team at azcommunity@microsoft.com?
so that we can work closely on this matter.

Thread URL: Link to this thread.
Your Azure Subscription ID:
Email Subject : Attn Satish Boddu
Please let me know once you have done the same.
Daniel Maxwell 11 Reputation points

2021-01-13T19:01:50.143+00:00

OK, I have emailed as requested. azcommunity@microsoft.com
QuantumCache 20,366 Reputation points Moderator

2021-01-13T19:06:05.763+00:00

Hello all,

We will update this thread once we finish our offline investigation, please feel free to comment in the below section if you are also looking for the same query.
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2021-01-15T12:04:34.217+00:00

1/2

Hello @Daniel Maxwell ,

I wanted to double click that you have read this doc already: Security practices for Azure IoT device manufacturers

I have noticed Comodo offers a Public Key Infrastructure (PKI) for IoT. See Global Sign MS Azure IoT Hub Integration as well.
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2021-01-15T12:04:43.847+00:00

2/2

As mentioned in the doc above, you can also consider to use a self-managed PKI where you can maintain your own PKI system and generate your own certificates.

PS: Our examples use self-signed certificates as a generic outline of the procedure to apply to any provider irrespective of their custom procedures.
Daniel Maxwell 11 Reputation points

2021-01-19T18:19:21.777+00:00
I am pursuing a two pronged approach to solving this issue:

Contract with a service such as KeyScaler

Provision using a private PKI that I create myself with self-signed certificates in the short term for testing. This could work out for the long term but given the complexity I prefer to go with a service contract with a vendor.
António Sérgio Azevedo 7,671 Reputation points Microsoft Employee Moderator

2021-01-21T13:45:36.62+00:00

Thank you so much for sharing your experience with the community @Daniel Maxwell !

Share via

How do I generate a validation certificate from a purchased certificate (proof of possession)

3 answers

Your answer