Maximum ROOT_CA Expiration

Azure Ektos 1 Reputation point
2021-06-16T14:17:24.76+00:00

Hello
Could you help me with some questions?

What maximum expiration can we set for Root CA cert for IoT Hub?
Does azure IoT hub have any limits in this case ?

Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
567 questions
Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,175 questions
{count} votes

2 answers

Sort by: Most helpful
  1. QuantumCache 20,266 Reputation points
    2021-06-24T09:26:23.007+00:00

    Hello @Azure Ektos ,

    This is a great question.

    Does azure IoT hub have any limits in this case ?

    Azure IoT Hub accepts the certificate with the set validity.

    As Asergaz already said in the initial response, there is no hard rule for the maximum set expiration of the certificate.

    What maximum expiration can we set for Root CA cert for IoT Hub?

    In the below example\test, I have created a test root CA cert with a validity of 100 years and uploaded it to IoTHub.

    108937-image.png

    108981-image.png

    May we know how many years of validity you are looking for in your scenario?
    Root certificates also typically have long periods of validity, compared to intermediate certificates. They will often last for 10 or 20 years, which gives enough time to prepare for when they expire. However, there still can be hiccups in the process of switching to the new root certificate.Ref

    Reference:OpenSSL
    openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 36500 -out rootCACert.pem

    Please do comment in the below section for further help in this matter.

    1 person found this answer helpful.
    0 comments No comments

  2. António Sérgio Azevedo 7,666 Reputation points Microsoft Employee
    2021-06-17T15:47:18.573+00:00

    Hello @Azure Ektos ,

    There is no hard-rule to set the maximum expiration of your self-signed X509 certificate deployed to Azure IoT Hub. Nevertheless even if the certificate is long-lived, you need to account that it can expire and there needs to be a way to update the certificate on the device.

    Sharing some good reading about X509 on Azure IoT Hub:

    Remember:

    • Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.