X509 Certificates are the most secure way for IoT devices to authenticate with Azure. In this tutorial, we will show you how to use Azure Device Provisioning Service to automatically enroll and connect your IoT devices to Azure in a secure and compliant way.
Using Device Provisioning Service does not support CA certificate rotation and forces you to re-enroll the device each certificate rotation. To get the full certificate automation that our Azure IoT Certificate Integration offers We recommend using IoT Hub CA Certificate Authentication instead. Here is a guide on how to set it up.
For this tutorial we need an Azure IoT hub and an Azure Device Provisioning Service.
After creating the Azure resource, the next step is to establish a trust between Azure and our Certificate Authority. This trust tells Azure to trust any certificate issued by this Certificate Authority as a valid credential for this IoT Hub.
This can be done with our one click trust in the EZCA portal as well as manually in the Azure portal. First we will demonstrate how to do it with EZCA’s one click trust an then Manually in Azure.
This Option will add automatically add your CA to Azure IoT Hub and will automatically update the new CA certificates to Azure IoT hub when the CA is renewed. Additionally, since Azure IoT does not follow the RFC 5280 standard for certificate revocation, EZCA will automatically disable the device in Azure IoT Hub when a certificate is revoked.
Once the IoT Hub is created, we need to create the Device Provisioning Service. As the name implies, the Device Provisioning Service will help you programmatically register the devices with your Azure IoT Hub. While at a small scale this might seem like an unnecessary service, this service starts playing a key role at scale when you have to distribute IoT devices across multiple IoT Hubs.
Once both resources are created, we now have to connect them together to allow the Device Provisioning Service to provision IoT devices in your IoT Hub(s).
After we have connected the Device Provisioning Service to IoT Hub, the last step we have to do is establish trust between EZCA and DPS.
Since we are using using the same CAs as IoT Hub, if you have them saved in your computer there is no need to get them from EZCA again.
The last step we have to do to configure our Azure Device Provisioning Service is to create an enrollment group for our CA to provision devices to the desired Azure IoT Hub Instances.
Now that we have created our Azure IoT Hub and established trust with the EZCA CA, we will download a sample repository that will: register the domain in EZCA, create a certificate, use the certificate to register the device in Azure, and then use the same certificate to authenticate to Azure.
SimulateDeviceProvisioning.csproj
project located in AzureIoTSamples -> SimulateDeviceProvisioning.
This project has to be run on Linux or Mac due to a limitation that .NET in Windows requires you to use the windows cert store to use X509 Certificates. If you are in a Windows workstation, we recommend running this in VS Code WSL. Alternatively, you can modify the sample with our Windows Cert Store Sample to use the Windows store to create the certificates (not recommended since your IoT devices will not have a Windows store and you will have to rewrite the code again).
Before running the sample code, we have to change two variables _globalEndpoint
and _dpsIDScope
.
string _globalEndpoint = "global.azure-devices-provisioning.net";
string _dpsIDScope = "0ne004A9EDB";
After modifying those variables, the code is ready to be run and register your first device in Azure.
This CA has to be one of the CAs you added to IoT Hub in the “Establish Trust Between IoT Hub and Your EZCA CA” step.
While having a working code sample is great, we recommend going in and understanding the details of what the code is doing. For this I am going to open the solution in Visual Studio to also see the EZCASharedLibrary.csproj
library that this project depends on to create the certificates.
SimulateIoTHubDevice.sln
solution in Visual Studio or your preferred text editor.EZCASharedLibrary.csproj
This project is a library to call EZCA and manage all the cryptographic operationsSimulateDeviceProvisioning.csproj
The project used for this tutorial (It depends on EZCASharedLibrary for cryptographic operations)SimulateIoTHubDevice.csproj
This Project is covered in our guide on authenticating IoT devices to Azure IoT Hub It is basically a lightweight version of this project that doesn’t have the automatic device provisioning.SimulateDeviceProvisioning.csproj
project.
This part of the code is for usability of the sample, in real production scenario, the CA would have been selected in advance and passed as a setting to the registration program.
ezManager.GetAvailableCAsAsync()
if we deep dive into this function, we can see that it gets a token and then calls an API to get the available CAs. Let’s dive into the get token function.
private async Task<string> GetTokenAsync()
{
if (_token == null || _token.Value.ExpiresOn < DateTime.UtcNow)
{
//Create Azure Credential
//This example includes Interactive for development purposes.
//For production you should remove interactive since there is no human involved
DefaultAzureCredential credential = new(includeInteractiveCredentials: true);
TokenRequestContext authContext = new(
new string[] { "https://management.core.windows.net/.default" });
_token = await credential.GetTokenAsync(authContext);
}
return _token.Value.Token;
}
As we can see, this function uses Azure default credentials which will try to use an MSI and then your developer credentials. This is great for development since it allows you to use your person identity to authenticate as a machine. However, as we outline in our guide IoT Security Best Practices the IoT devices should be issued by a machine. If that machine is an Azure computer, no need to change this code. If the machine programming your IoT devices is not an Azure VM, You will have to change this authentication code to use an Client Certificate Credential
ezManager.GetAvailableCAsAsync()
will call the EZCA api to get the available SSL CAs that that user can request from.
HttpResponseMessage response = await _httpService.GetAPIAsync($"{_portalURL}api/CA/GetAvailableSSLCAs", await GetTokenAsync());
Once the CA is selected, we have to create a fake DeviceID and register it as a domain for the CA en EZCA. This is all done in the RegisterDomainAsync
function.
NewDomainRegistrationRequest
object, this object will then be send as a post request to EZCA. Below you can see an explanation of each of the fields.
public class NewDomainRegistrationRequest
{
[JsonPropertyName("CAID")]
public string? CAID { get; set; } //This is the CA ID used by EZCA to know which CA you are requesting from. We got this value from the CA Information.
[JsonPropertyName("TemplateID")]
public string? TemplateID { get; set; } // This is another ID Value that allows EZCA to know which CA you are requesting from. We got this value from the CA Information.
[JsonPropertyName("Domain")]
public string? Domain { get; set; } // In this case the domain is the device ID of the Device
[JsonPropertyName("Owners")]
public List<AADObjectModel> Owners { get; set; } = new List<AADObjectModel>(); //This are the AAD Objects that are allowed to make changes to this domain.
[JsonPropertyName("Requesters")]
public List<AADObjectModel> Requesters { get; set; } = new List<AADObjectModel>(); //This are the AAD objects allowed to request certificates for this domain. For this field we recommend keeping it to your enrollment agent only. After the first certificate is issued, your IoT device can use that certificate to renew its certificate.
}
NewDomainRegistrationRequest
object, we send the post request to EZCA.
HttpResponseMessage response = await _httpService.PostAPIAsync($"{_portalURL}api/CA/RegisterNewDomain", JsonSerializer.Serialize(request), await GetTokenAsync());
Once the “domain” for this device ID is registered in EZCA, we can go ahead and request the certificate. To create the certificate, we call ezManager.RequestCertificateAsync(selectedCA, deviceID);
This function will create a certificate signing request, request the certificate and return the newly created X509 certificate.
//create a 4096 RSA key
RSA key = RSA.Create(4096);
//create Certificate Signing Request
X500DistinguishedName x500DistinguishedName = new("CN=" + domain);
CertificateRequest certificateRequest = new(x500DistinguishedName, key,
HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
string csr = PemEncodeSigningRequest(certificateRequest);
List<string> subjectAlternateNames = new()
{
domain
};
int certificateValidityDays = 10; // setting the lifetime of the certificate to 10 days
CertificateCreateRequestModel
object, this object will then be send as a post request to EZCA. Below you can see an explanation of each of the fields.
public class CertificateCreateRequestModel
{
[JsonPropertyName("SubjectName")]
public string SubjectName { get; set; } //This is the subject name of the certificate, for this case we set CN=DeviceID where DeviceID is your device ID. This is used by Azure to know which device is calling.
[JsonPropertyName("SubjectAltNames")]
public List<string> SubjectAltNames { get; set; } = new List<string>(); //This are alternative names for the subject name, this was introduced to have multiple domains in one certificate. Since some authentication standards use subject alternate names for authentication, we add the device ID as a subject alternate name.
[JsonPropertyName("CAID")]
public string? CAID { get; set; } //This is the CA ID used by EZCA to know which CA you are requesting from. We got this value from the CA Information.
[JsonPropertyName("TemplateID")]
public string? TemplateID { get; set; } // This is another ID Value that allows EZCA to know which CA you are requesting from. We got this value from the CA Information.
[JsonPropertyName("CSR")]
public string CSR { get; set; } //this is the signing request we created to prove we own the private key.
[JsonPropertyName("ValidityInDays")]
public int ValidityInDays { get; set; } //this is the number of days the certificate will be valid
[JsonPropertyName("EKUs")]
public string[] EKUs { get; set; } = new string[] { "1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2" }; //this is what the certificate can be used for. By default we add Client authentication and Server authentication
[JsonPropertyName("KeyUsages")]
public string[] KeyUsages { get; set; } = new string[] { "Key Encipherment", "Digital Signature" }; // this is what the certificate's key can be used for.
//The following fields are used to give visibility to your administrators how you are using the certificate
[JsonPropertyName("SelectedLocation")]
public string SelectedLocation { get; set; } = "IoT Device"; // where the device is being stored.
[JsonPropertyName("ResourceID")]
public string ResourceID { get; set; } = string.Empty; //This is only used when the certificate is being stored in Azure
[JsonPropertyName("SecretName")]
public string SecretName { get; set; } = string.Empty; //This is only used when the certificate is being stored in Azure
[JsonPropertyName("AKVName")]
public string AKVName { get; set; } = string.Empty;//This is only used when the certificate is being stored in Azure
[JsonPropertyName("AutoRenew")]
public bool AutoRenew { get; set; } = false; //This indicates if you want EZCA to automatically renew your certificate. This feature is only available when the certificate is being stored in Azure
[JsonPropertyName("AutoRenewPercentage")]
public int AutoRenewPercentage { get; set; } = 80; //This feature is only available when the certificate is being stored in Azure
}
CertificateCreateRequestModel
object we send the certificate request to Azure.
//Request Certificate from EZCA
HttpResponseMessage response = await _httpService.PostAPIAsync($"{_portalURL}api/CA/RequestSSLCertificate",
JsonSerializer.Serialize(request), await GetTokenAsync());
APIResultModel? result = JsonSerializer.Deserialize<APIResultModel>(await response.Content.ReadAsStringAsync());
if (result != null)
{
if(result.Success)
{
X509Certificate2 certificate = ImportCertFromPEMString(result.Message);
return certificate.CopyWithPrivateKey(key);
}
}
By now we have registered the device in EZCA and create a certificate for this device. Now we have to provision that device in Azure.
To provision devices in Azure, we will need the Microsoft.Azure.Devices.Provisioning.Client
NuGet package.
SecurityProviderX509Certificate
object.
SecurityProviderX509Certificate security = new(deviceCertificate);
ProvisioningDeviceClient provClient = ProvisioningDeviceClient.Create(_globalEndpoint, _dpsIDScope, security, new ProvisioningTransportHandlerMqtt());
DeviceRegistrationResult result = await provClient.RegisterAsync();
Now that we have registered the device in Azure, all we have to do is authenticate to Azure and send some messages to test that it is working.
To Authenticate with Azure we will need the Microsoft.Azure.Devices.Client
NuGet package.
DeviceAuthenticationWithX509Certificate
with the device ID and the certificate issued for that device.
DeviceAuthenticationWithX509Certificate auth = new (deviceID, deviceCertificate);
var deviceClient = DeviceClient.Create(result.AssignedHub, auth, TransportType.Mqtt);
static async Task SendEventAsync(DeviceClient deviceClient, string deviceId)
{
//ref https://docs.microsoft.com/en-us/azure/iot-hub/tutorial-x509-test-certificate
string dataBuffer;
int MESSAGE_COUNT = 5;
Random rnd = new Random();
float temperature;
float humidity;
int TEMPERATURE_THRESHOLD = 30;
Console.WriteLine("Device sending {0} messages to IoTHub...\n", MESSAGE_COUNT);
// Iterate MESSAGE_COUNT times to set random temperature and humidity values.
for (int count = 0; count < MESSAGE_COUNT; count++)
{
// Set random values for temperature and humidity.
temperature = rnd.Next(20, 35);
humidity = rnd.Next(60, 80);
dataBuffer = string.Format("{{\"deviceId\":\"{0}\",\"messageId\":{1},\"temperature\":{2},\"humidity\":{3}}}",
deviceId, count, temperature, humidity);
Message eventMessage = new Message(Encoding.UTF8.GetBytes(dataBuffer));
eventMessage.Properties.Add("temperatureAlert",
(temperature > TEMPERATURE_THRESHOLD) ? "true" : "false");
Console.WriteLine("\t{0}> Sending message: {1}, Data: [{2}]",
DateTime.Now.ToLocalTime(), count, dataBuffer);
// Send to IoT Hub.
await deviceClient.SendEventAsync(eventMessage);
}
}
In this tutorial, we were able to create IoT devices, register them in Azure, and start communicating with Azure from the IoT device. While this is great for a proof of concept, all the actions are taken in one device since the IoT device is simulated. Read our IoT Security Best Practices to learn how you can design a secure and compliant pipeline in your factory.