Azure Sphere Authentication Certificate CN == Deice ID?

Question

@Imran Bhadelia and I have a question about the Azure Sphere Authentication Certificate. This would be the short lived (client certificate that can be presented to any online service )X.509 certificate pushed to the device once it passes the DAA step. The documentation here, specifies that the certificate CN is set to the device's device ID. However CN is limited to 64 characters and the Azure Sphere device ID is >128 characters long.

What is CN set to for the Azure Sphere Authentication x.509 Certificate?

Thanks!

Answer 1

You do not need to generate certificate yourself. Already generated and signegned certificate is stored in your device. Certficaite is signed by Azure Sphere Tenant CA. For using this certificate as authentication method to IoT Hub call iothub_security_init from azure_prov_client/iothub_security_factory.h and then IoTHubDeviceClient_LL_CreateWithAzureSphereFromDeviceAuth for creating IoT Hub client. In IoT Hub you must register your device with device name set to DeviceId. You must also add certificate of your Azure Sphere tenant to IoT Hub for allowing IoT Hub to trust your devices. How to do that is described in https://learn.microsoft.com/en-us/azure-sphere/app-development/setup-iot-hub . DeviceId, device name in IoT Hub and CN of authentication certificate must match.

Answer 2

Hello @Michal Žůrek

CN of authentication certificate have limitation of 64 char, now Sphere device is is 128 char long. Means Deviceid and CN name are going to be differ, so how authentication will work?

Imran

Answer 3

You can look client certificate using Wireshark.

Which did you want to look the field?

Answer 4

Subject field. This have CN

Answer 5

Hi @matsujirushi

As per this link CN name only allow s64 char long and with case of Sphere its 128, wondering as we asked CA Authority to generate device leave certificate having deivceid of 100 char. but due to CN name validation it was failed during leaf certificate generation