Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure IoT Hub Certificate

Tags:

ssl

x509

azure

iot

I'm trying to publish some data on the Azure IoT hub using Mqtt. I've succesfully published some data, using a SAS token.

But my customer wants a x509 self generated & self signed certificate. Azure is supporting this, but doesn't give much information about it. (https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#supported-x509-certificates)

A self-generated and self-signed X-509 certificate. A device manufacturer or in-house deployer can generate these certificates and store the corresponding private key (and certificate) on the device. You can use tools such as OpenSSL and Windows SelfSignedCertificate utility for this purpose.

Note IoT Hub does not require or store the entire X.509 certificate, only the thumbprint.

What I've done is created a CA certificate and key.

$openssl req -newkey rsa:2048 -x509 -nodes -sha256 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt

Created a client key and signing request

$openssl genrsa -out client.key 2048

$openssl req -new -sha256 -out client.csr -key client.key

Signed the request and created the certificate

$openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.srl -out client.crt -days 365

I've uploaded the client key and certificate to the modem. And inserted the thumbprint of the client certificate.

My modem can succesfully connect to myhub.azure-devices.net/deviceId (port 8883) But when new data arrives it can't decode it.

I'm kinda stuck from this point on. I've tried to use MqttFx, but with no luck.

Can someone push me into the right direction here?

like image 421
Max van Kessel Avatar asked Jan 06 '17 10:01

Max van Kessel


People also ask

What is azure IoT Certification?

Certification exams This exam measures your ability to accomplish the following technical tasks: set up the Azure IoT Hub solution infrastructure; provision and manage devices; implement IoT Edge; process and manage data; monitor, troubleshoot, and optimize IoT solutions; and implement security.

Is Azure IoT hub free?

Azure IoT Edge service itself is free but requires Azure IoT Hub for the secure management of devices. If you choose to access Azure services (Modules) with IoT Edge you are billed for the specific service based on its billing model for use on the edge.

What is IoT HUB in Azure?

Azure IoT Hub provides a cloud-hosted solution back end to connect virtually any device. Extend your solution from the cloud to the edge with per-device authentication, built-in device management and scaled provisioning. Security-enhanced communication channel for sending and receiving data from IoT devices.

What is the difference between Azure IoT hub and IoT Central?

Azure IoT Central and Hub DifferencesIoT Central is a managed SaaS solution. IoT Hub is a managed Paas. Start from scratch solution using Azure IoT Hub and other PaaS services. Device Provisioning Service capabilities are built in.


2 Answers

For those of you wanting to use the Azure IoT C# SDK, I've created a C#-based code sample that shows you how to associate OpenSSL self-signed and self-generated X509 certs with a device registered in Azure IoT Hub, and then use the certs (primary or secondary) in subsequent runtime operations - specifically sending a telemetry message.

You can choose to use either MQTT or HTTPS as your transport layer.

https://github.com/tamhinsf/SimpleAzureIoTCerts/

like image 74
Tam Huynh Avatar answered Sep 18 '22 19:09

Tam Huynh


I've fixed this problem:

The configured CA certificate must be the azure certificate: CA Root Certificate Azure SDK. I've used the Baltimore root certificate.

The client certificate and key are correct. The SHA1 thumbprint of the client certificate must be communicated to the Azure IoT hub.

I've used Paho as Mqtt client.

Finally I've had a modem error on connecting to the server. The time inside the modem was still at default (1-1-2004) apparently, and the modem checks the time of the certificate with the current time (1-1-2004), which was invalid, so no connection could be made.

like image 45
Max van Kessel Avatar answered Sep 20 '22 19:09

Max van Kessel