Examine how to configure verified CA certificates

  • 5 minutes

A verified X.509 Certificate Authority (CA) certificate is a CA certificate that has been uploaded and registered to your provisioning service and has gone through proof-of-possession with the service.

Verified certificates play an important role when using enrollment groups. Verifying certificate ownership provides an extra security layer by ensuring that the uploader of the certificate is in possession of the certificate's private key. Verification prevents a malicious actor sniffing your traffic from extracting an intermediate certificate and using that certificate to create an enrollment group in their own provisioning service, effectively hijacking your devices. By proving ownership of the root or an intermediate certificate in a certificate chain, you're proving that you have permission to generate leaf certificates for the devices that are registered as a part of that enrollment group. For this reason, the root or intermediate certificate that are configured in an enrollment group must either be a verified certificate or must roll up to a verified certificate in the certificate chain a device presents when it authenticates with the service.

Certificate verification can be implemented through:

  • Automatic verification of intermediate or root CA through self-attestation
  • Manual verification of intermediate or root CA

Automatic verification of intermediate or root CA through self-attestation

If you are using an intermediate or root CA that you trust and know you have full ownership of the certificate, you can self-attest that you verified the certificate.

To add an auto-verified certificate, follow these steps:

  1. In the Azure portal, navigate to your provisioning service and select Certificates from the left-hand menu.

  2. Select Add to add a new certificate.

  3. Enter a friendly display name for your certificate.

  4. Browse to the .cer or .pem file that represents the public part of your X.509 certificate. Select Upload.

  5. Check the box next to Set certificate status to verified on upload.

  6. Select Save.

Your certificate is shown in the certificate tab with a status Verified.

Manual verification of intermediate or root CA

Automatic verification is recommended when you upload new intermediate or root CA certificates to DPS. However, you can still perform proof-of-possession if it makes sense for your Azure IoT Hub scenario.

Proof-of-possession involves the following steps:

  1. Get a unique verification code generated by the provisioning service for your X.509 CA certificate. You can do this from the Azure portal.
  2. Create an X.509 verification certificate with the verification code as its subject and sign the certificate with the private key associated with your X.509 CA certificate.
  3. Upload the signed verification certificate to the service. The service validates the verification certificate using the public portion of the CA certificate to be verified, thus proving that you are in possession of the CA certificate's private key.

For more information about certificate manual verification and proof-of-possession, see Manual verification of intermediate or root CA.