Module connection using x509 certificates

Ferry Koolen 0 Reputation points
2024-04-09T12:01:37.0066667+00:00

Hi,

When reading the docs about connecting devices and modules using a x509 certificate there is this part about the required common name (CN):

For modules using X.509 authentication, the module's certificate must have its common name (CN) formatted like CN=deviceId/moduleId.

Which seems pretty clear to me. However; when testing we found that using the device certificate using Common name like 'CN=<deviceid>' without the moduleId works fine as well.

My question is: Do we require multiple certificates for each module on the device, or are the docs wrong and is it possible to use one certificate for all connections from the device?

Thanks!

Ferry Koolen

Azure IoT
Azure IoT
A category of Azure services for internet of things devices.
399 questions
Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,189 questions
Azure IoT SDK
Azure IoT SDK
An Azure software development kit that facilitates building applications that connect to Azure IoT services.
219 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sander van de Velde | MVP 32,556 Reputation points MVP
    2024-04-09T19:04:44.54+00:00

    Hello @Ferry Koolen ,

    welcome to this moderated Azure community forum.

    The Azure IoT Hub has two concepts of 'modules':

    1. Docker containers being part of Azure IoT Edge
    2. Module Identities as part of a regular IoT device

    In case of the Azure IoT Edge device, the device registration itself has a unique device identity. The identity and security of the underlying edge modules (docker containers) are controlled by the runtime. As an IoT Developer, we do not touch them.

    I expect the documentation is referencing IoT device Module Identities because these have their own registration.

    This is also on par with a regular connection string, containing both deviceid and moduleid:

    enter image description here

    In my opinion, the documentation could make a better distinction between 'module' and 'module identity'.


    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.