How To Create IoT Edge EST Certificate Authority

Prerequisites

  1. An Azure IoT Hub Instance
  2. An Azure IoT Device Provisioning Service Instance
  3. A Linux Machine running IoT Edge (For this one just install IoT Edge, once you get to the provisioning the device with it’s cloud identity section, jump to this guide)

Overview - Create IoT Edge Certificates Using a Cloud Based EST Certificate Authority

Azure IoT Edge devices need a secure way to authenticate to the cloud, however, managing certificates in IoT devices can be a challenge. Azure IoT Edge supports the Enrollment over Secure Transport (EST) protocol which allows devices to request certificates from a Certificate Authority (CA) in a secure way. This guide will walk you through creating a CA in EZCA that can issue certificates to IoT Edge devices using the EST protocol.

What is Enrollment over Secure Transport (EST)?

Enrollment over Secure Transport (EST) RFC 7030 is a cryptographic protocol that automates the issuance of x.509 certificates. It’s used for public key infrastructure (PKI) clients, like IoT Edge that need client certificates associated to a Certificate Authority (CA). EST replaces the need for manual certificate management, which cannot scale in large IoT deployments.

How To Create an IoT Edge EST Certificate Authority in Azure

The First step for setting up EST for IoT Edge is to create a Certificate Authority that can issue certificates to IoT Edge devices. While the Microsoft EST documentation creates a self-signed CA in the IoT Edge device, this does not meet the security and compliance requirements for most deployments, this is why we are going to use EZCA the best cloud-based CA for Azure IoT to create a CA that can issue certificates to IoT Edge devices.

Do I Need A Root CA or an Intermediate CA for Azure IoT EST?

When creating a CA for IoT Edge, you have to decide if you want to create a Root CA that issues the certificates or if you have a Root CA and want to create an Intermediate CA that issues the certificates. If it is a small the deployment, a Root CA is recommended, however, if you have a large deployment, a 2 tier PKI with a Root and Intermediate CAs is recommended, this will allow you to create a long term Root Certificate Authority and a short term Intermediate CAs that can be rotated more frequently, as well as you IoT deployment scales, you can create more Intermediate CAs for different regions or products.

In this guide, we will assume you have already created your cloud CA subscription in Azure.

  1. Go to your EZCA portal (it is usually https://portal.ezca.io/ but you might be using our regional offerings such as https://eu.ezca.io/ or https://au.ezca.io/ or if you are using a self-hosted EZCA, go to your organization’s EZCA URL)
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities. Azure Certificate Authority Menu
  4. Click on the “Create CA” How Create CA for EST in Azure
  5. Select Root CA. Create Root CA for EST for Azure IoT
  6. Click Next

Entering EST CA Information

  1. Enter Common Name: This is the name of the CA how it will appear in the certificate.
  2. (Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
  3. (Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
  4. (Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
  5. (Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
  6. Click Next. CA Details

Cryptographic Requirements

  1. Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility. Set Certificate Authority Cryptographic Details

Validity Period

  1. Select your Validity Period Learn more about Validity Period best practices, keep in mind how you will update this certificate in your IoT devices and the lifetime of your IoT devices.
  2. Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
  3. Select the lifecycle action you want EZCA to take when expiry of the CA is approaching

    For Root CAs we recommend to have a manual Lifecycle since the new Root will have to be added to the trusted root stores of your clients which requires manual steps from the IT team.

  4. Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions. Certificate Authority Lifecycle Details

CA Certificate Revocation List

  1. Select if you want this CA should issue a CRL (Highly recommended)
  2. Click Next. Azure CA CRL (revocation) Details

CA Certificate Revocation List Advance Settings

Changes to this section are only recommended for PKI experts with specific requirements.

  1. Click the expand button Azure CA CRL Setup Details
  2. Enter the desired CRL Validity Period in days
  3. Enter the desired CRL Overlap Period in hours
  4. (Optional) Enter the CRL endpoint where you will publish your CRLs

    Custom CRL endpoints are supported by EZCA by adding the CRL endpoint as the CRL endpoint in the certificate. However, your PKI admins are responsible from getting the CRL from EZCA and posting it in that specific endpoint.

  5. Click Next. CRL Details

Issuance Policy

  1. Select the Certificate Template you want this CA to Issue. Leave as “Subordinate CA Template” unless creating a 1 tier PKI (Not Recommended) CA Root Certificate Template
  2. Enter the largest certificate lifetime that this CA can issue. EZCA automatically calculates the recommended maximum based on CA lifecycle best practices. CA Max Certificate lifetime
  3. Click Next. Next

Select Location

  1. Select the location where you want your CA to be created.
  2. Click Create Create CA for Azure IoT Edge

Download Certificate

  1. Once the CA is created download to certificate and push it to all your devices and Azure IoT Hub as a trusted root. Download CA Certificate

How to Create the Intermediate CA for Azure IoT EST

Getting Started

  1. Go to your EZCA portal (it is usually https://portal.ezca.io/ but you might be using our regional offerings such as https://eu.ezca.io/ or https://au.ezca.io/ or if you are using a self-hosted EZCA, go to your organization’s EZCA URL)
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities. Azure Cloud CA Menu
  4. Click on the “Create CA” Create Subordinate CA in Azure for EST in Azure IoT
  5. Select Subordinate/Intermediate CA. Select CA Intermediate CA Type for Azure IoT
  6. Click Next

Entering CA Information

  1. Enter Common Name: This is the name of the CA how it will appear in the certificate.
  2. (Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
  3. (Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
  4. (Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
  5. (Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
  6. Click Next. CA Details

Cryptographic Requirements

  1. Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility. Crypto Details

Validity Period

  1. Select your Validity Period Learn more about Validity Period best practices
  2. Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
  3. Select the lifecycle action you want EZCA to take when expiry of the CA is approaching
  4. Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions. Lifecycle Details

CA Certificate Revocation List

  1. Select if you want this CA should issue a CRL (Highly recommended)
  2. Click Next. CRL Details

CA Certificate Revocation List Advance Settings

Changes to this section are only recommended for PKI experts with specific requirements.

  1. Click the expand button CRL Details
  2. Enter the desired CRL Validity Period in days
  3. Enter the desired CRL Overlap Period in hours
  4. (Optional) Enter the CRL endpoint where you will publish your CRLs

    Custom CRL endpoints are supported by EZCA by adding the CRL endpoint as the CRL endpoint in the certificate. However, your PKI admins are responsible from getting the CRL from EZCA and posting it in that specific endpoint.

  5. Click Next. CRL Details

Issuance Policy

  1. Leave the Certificate issuance template as “SSL Template”. Azure IoT EST Certificate Authority Template in Azure
  2. Enter the largest certificate lifetime that this CA can issue. EZCA automatically calculates the recommended maximum based on CA lifecycle best practices.
  3. Click Next.

Select Location

  1. Select the location where you want your CA to be created. Create CA in Azure for Azure IoT EST Automatic Certificate usage

Add Geo-Redundancy

EZCA Allows you to create multiple CAs across many regions to create Geo-Redundancy and scalability.

Each location will be charged as an extra Certificate Authority.

  1. Click the “Add Secondary Location” Button. Create Secondary Location for Azure IoT EST Certificate Authority
  2. Enter the Location information. Create Secondary Location
  3. Add as many locations as needed.

Create CA

  1. Click Create. Create CA

Chaining to EZCA Root CA

  1. Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location. CSR Created
  2. If your desired Root CA is an EZCA CA, Select it from the dropdown and click create CA. CSR Created
  3. Repeat these steps for each location.
  4. Your CA is ready to be used!

How to Create IoT Edge Device Certificates Using EST

Once you have created your cloud CA for Azure IoT, we need to get the EST URL that will be used by the IoT Edge device to request the certificate.

  1. From the EZCA portal, go to the Certificate Authorities menu. Azure Certificate Authority Menu
  2. Click on “View Details” of the CA you want to use for your IoT Edge devices. Azure Certificate Authority EST Details
  3. Copy the EST URL. How to get Azure IoT EST Certificate Authority URL
  4. We also want to get the CA Certificate (and any other CA certificates) to be used as a trusted root in the IoT Edge device we will download it and then save it in the IoT Edge device in “/var/aziot/certs” in this tutorial I will save it as “ca.pem”. How to get Azure IoT EST Certificate Authority Certificate
  5. After we have saved the certificate in the IoT Edge device, we need to give the aziotcs user access to the certificate.
    sudo chown -R aziotcs:aziotcs /var/aziot/certs
    # Read and write for aziotcs, read-only for others
    sudo find /var/aziot/certs -type f -name "*.*" -exec chmod 644 {} \;
    

How to Configure Azure DPS to Use the Azure IoT EST Certificate Authority

  1. Next, we need to configure the Device Provisioning Service to accept the certificates from our CA. For that we are going to go to the Azure Portal and go to the IoT DPS that we are using for our IoT Edge devices.
  2. Then we are going to go to settings and then to “Certificates” and add the CA certificate that we just downloaded. (Make sure to check the boc that says “Set certificate status to verified on upload”) and click save. How to add Azure IoT EST Certificate Authority Certificate to Azure IoT DPS
  3. Now that we have added the CA, we must create an enrollment group that will use this CA to issue the certificates to the IoT Edge devices. Go to “Manage enrollments” on the left menu and click on “Add enrollment group”. How to add Azure IoT EST Certificate Authority Enrollment Group
  4. Then select “X.509 certificates uploaded to this Device Provisioning Service instance” and put the primary certificate as the CA certificate that we uploaded before (If you also have other CAs, you would also add them as secondary but in this case I am doing a single tier CA). How to add Azure IoT EST Certificate Authority Enrollment Group Certificate
  5. Then select a name for this enrollment group.
  6. THen we are going to select the IoT Hubs Tab at the top and select the IoT Hub that we want to use with this enrollment group (If you have multiple IoT Hubs, you can select them all and select how the traffic will be distributed). How to add Azure IoT EST Certificate Authority Enrollment Group IoT Hub
  7. Last we are going to select the “Device Settings” Tab at the top and Select “Enable IoT Edge on provisioned devices” and then click save. How to add Azure IoT EST Certificate Authority Enrollment Group IoT Edge

How to Configure IoT Edge Device to Use the Azure IoT EST Certificate Authority

The last step is to configure the IoT Edge device to use the EST protocol to request the certificate from the CA and then register to the Azure IoT Hub using the DPS. While in the Microsoft sample they use username and password, they say that it is not recommended for production, so instead we are going to manually create the “bootstrap” certificate and then use the EST protocol to request the certificate from the CA.

This is a manual version of the process, for the automatic version you can use the our Azure IoT Security Best Practices to design your automatic bootstrapping process using our easy to use APIs, code samples and NuGet Package.

How To Create the Bootstrap Certificate for Azure IoT EST

As mentioned in the Azure IoT Security Best Practices this should be done in a secure environment and the private key should be stored in a secure location. But for sake of simplicity, we are going to manually create the certificate in the IoT Edge device.

  1. Let’s go to the EZCA portal, and go to the certificates page and click “Create Certificate”. How to create bootstrap certificate for Azure IoT EST
  2. If you have multiple CAs, select the CA that you want to use to issue the certificate.
  3. Enter the device ID of the IoT Edge device that you want to create the certificate for as the common name. and as a DNS name. How to create bootstrap certificate for Azure IoT EST
  4. Click on “How to create CSR Locally” and copy the OpenSSL command. How to create bootstrap certificate for Azure IoT EST
  5. SSH into the IoT Edge device, and navigate to the folder where you want to save the certificate, for this example I will use /var/aziot/authcerts and run the command to create the CSR. I used the following commands to create the directory and give read and write permissions to both Azure IoT users:
    sudo mkdir -p /var/aziot/authcerts
    sudo chown -R aziotks:aziotks /var/aziot/authcerts
    sudo find /var/aziot/authcerts -type f -name "*.*" -exec chmod 777 {} \;
    cd /var/aziot/authcerts
    
  6. Here are the commands I ran, note how I added -nodes since currently Azure IoT Edge does not support encrypted private keys:
    cd /var/aziot/authcerts
    openssl req -new -newkey rsa:4096 -nodes -keyout certificate.key -out certificate.csr -subj /CN=my-iot-device1
    cat certificate.csr 
    

    How to create bootstrap certificate request for Azure IoT EST

  7. Copy the CSR and paste it in the CSR field in the EZCA portal and click “Request Certificate”. How to request bootstrap certificate for Azure IoT EST
  8. This will create the certificate, download it and save it in the IoT Edge device in the same folder as the CSR (I am lazy and I just copy the text into the certificate.pem file by creating one with nano using nano certificate.pem). How to download bootstrap certificate for Azure IoT EST
How To Configure IoT Edge Device to Use the Azure IoT EST Certificate Authority with the Bootstrap Certificate

Now that we have the bootstrap certificate (Reminder for you final design you will want to do that in the factory), we can configure the IoT Edge device to use the EST protocol to request the certificate from the CA by modifying the /etc/aziot/config.toml file in the IoT Edge device. With the file below (replace the placeholders with the actual values):

# Replace with ID Scope from your DPS
[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net"
id_scope = "<DPS-ID-SCOPE>"

[provisioning.attestation]
method = "x509"
registration_id = "<myiotedgedevice>"

# ==============================================================================
# Cert issuance
# ==============================================================================
#
[provisioning.attestation.identity_cert]
method = "est"
common_name = "<myiotedgedevice>"

# Auto renewal settings for the identity cert
# Available only from IoT Edge 1.3 and above
[provisioning.attestation.identity_cert.auto_renew]
rotate_key = true
threshold = "80%"
retry = "4%"

[cert_issuance.est]

# Trusted root certificates to validate the EST server's TLS certificate; please add all your CA certificates here.
trusted_certs = [
    "file:///var/aziot/certs/ca.pem",
]

# Provides a default URL if the EST URL is not provided for a certificate (This is the one we got from EZCA at the beginning).
[cert_issuance.est.urls]
default = "https://est.eu.ezca.io/est/1c3c6cea-fcbd-4681-85e1-74fb74b6863e/44934e59-64e3-4987-a54a-d4a30097c62b/westeurope/.well-known/est"

# Below are options for authenticating with the EST server. The required options will depend on the EST
# server's configuration. These global settings apply to all certificates that don't configure auth separately.

[cert_issuance.est.auth]
# Authentication with TLS client certificate. Provide the path of the client cert and its corresponding
# private key. These files must be readable by the users aziotcs and aziotks, respectively.
identity_cert = "file:///var/aziot/authcerts/certificate.pem"
identity_pk = "file:///var/aziot/authcerts/certificate.key"

# Authentication with a TLS client certificate which will be used once to create the initial certificate.
# After the first certificate issuance, an identity_cert and identity_pk will be automatically created and
# used. Provide the path of the bootstrap client cert and its corresponding private key. These files must
# be readable by the users aziotcs and aziotks, respectively.
bootstrap_identity_cert = "file:///var/aziot/authcerts/certificate.pem"
bootstrap_identity_pk = "file:///var/aziot/authcerts/certificate.key"

## Controls the renewal of EST identity certs. These certs are issued by the EST server after
## initial authentication with the bootstrap cert and managed by Certificates Service.
[cert_issuance.est.identity_auto_renew]
rotate_key = true
threshold = "80%"
retry = "4%"
  1. After you have modified the file, apply the configuration by running sudo iotedge config apply.
  2. Run sudo iotedge check to verify the configuration. EST IoT Edge device successfully connecting to IoT Hub