How can I test the new DigiCert with my device that uses x509 self signed certificates?

Question

How can I test the new DigiCert with my device that uses x509 self signed certificates?

Haris Papageorge 251

Hi,

Because of the update that is about to take place (2393169) I am conducting some tests. However, the instructions that are given for validation of this new root cert only mention a SharedAccessKey. How should I validate the procedure with my device that uses x509 self signed certificates?

thanks

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-06-09T14:06:38.133+00:00

@Haris Papageorge , Wanted to follow up with you to understand whether the below information helped. Please let us know if there are any other queries.
If below suggestions answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

Accepted answer

0 additional answers

Your answer

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-06-09T14:06:38.133+00:00

@Haris Papageorge , Wanted to follow up with you to understand whether the below information helped. Please let us know if there are any other queries.
If below suggestions answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

Answer 1

Sander van de Velde | MVP 36,766 MVP Volunteer Moderator

Hello @Haris Papageorge ,

Microsoft is switching over to the 'DigiCert Global G2 root' certificate for TLS traffic.

This means that your IoT devices must include 'the DigiCert Global G2 root cert by February 15, 2023'.

It seems you use x509 self-signed certificates to identify your devices. Your self-signed certificate is just an Identity, it is not used for encrypting the TLS traffic towards IoT Hub and/or DPS.

It's all about testing the TLS connection using that root certificate. That is why the symmetric key (SharedAccessKey) test is offered.

See also the comments below the announcement text.

Haris Papageorge 251 Reputation points

2022-05-26T07:25:35.15+00:00

Hi @Sander van de Velde | MVP ,

Good to know. So what configuration should the MQTTFX client have for example? I am using MQTTfx because my device works similarly to it.

I have the following and connection is not established.

Broker: g2cert.azure-devices.net
Port: 8883
Client ID: TestDevice1
User Name: g2cert.azure-devices.net/TestDevice1/?api-version=2018-06-30

I get a message saying "Not authorized to connect"
I also tried with just the Ca certificate as well as using "g2cert.azure-devices.net" as a username which gives the error broker not available.

thanks
Sander van de Velde | MVP 36,766 Reputation points MVP Volunteer Moderator

2022-05-30T21:57:40.207+00:00

Hello @Haris Papageorge ,

this question is answered in the Comments section of the blog post:

The only thing that needs to be validated is that the TLS handshake was successful. The connection string given already has a credential in there (albeit a fake credential), so using that connection string, your device will attempt to connect, successfully validate the server and then fail as unauthorized. Please validate just the handshake, and you should be able good.

If this is the solution, please confirm it here. Thanks.

Share via

How can I test the new DigiCert with my device that uses x509 self signed certificates?

0 additional answers

Your answer