Creating Additional Types of Certificates for Azure IoT
Overview
This section explains how to create additional types of certificates for connecting to Azure including verification certificates and device certificates for use on the gateways.
This page is intended to be used when directed by the Azure IoT Connection instructions.
This page is not meant as a stand-alone guide to general purpose certificate generation.
Verification Certificates
Prerequisites
You should have already created a root certificate and private key, uploaded it to the Azure Portal, and generated a verification code.
You will need:
- The root certificate file
- The private key file
- The verification code
Generating the Verification Certificate
Run the following command to generate a verification key (this is different from the verification code generated in Azure).
openssl genrsa -out verification.key 2048
Run the following command to create a verification certificate.
openssl req -new -key verification.key -out verification.csr
Enter the following information when prompted. You may leave all fields except Common Name blank by entering a period into the field. The Common Name field must be the verification code from the Azure Portal.
Configuration Fields:
- Country Name: Enter any 2 letter code or enter a period for blank.
- State or Province Name: Enter anything or enter a period for blank.
- Locality Name: Enter anything or enter a period for blank.
- Organization Name: Enter anything or enter a period for blank.
- Organization Unit Name: Enter anything or enter a period for blank.
- Common Name: Enter the verification code from the Azure Portal.
- Email Address: Enter anything or enter a period for blank.
- A Challenge Password: Enter anything or enter a period for blank. Make sure to note the password if you enter one.
Run the following command to create a proof of possession certificate and sign your verification.csr with the root private key you previously created.
openssl x509 -req -in verification.csr -CA root-cert.pem -CAkey root-private-key.pem -CAcreateserial -out verificationCert.pem -days 365 -sha256
This will create a verificationCert.pem. This is your verification certificate (the proof of possession for your Public Key Certificate). It is valid for 365 days.
Device Certificates
In this section you will create a CA-Signed CSR and Private Key for use on devices.
Prerequisites
You should have already created a root certificate and private key, uploaded it to the Azure Portal, and verified it.
Generating the Device Certificates
Run the following command to create the CSR and device private key.
openssl req -out device.csr -new -newkey rsa:2048 -nodes -keyout device-private-key.pem
Enter the following information when prompted. You may leave all fields except Common Name blank by entering a period into the field.
Configuration Fields:
- Country Name: Enter any 2 letter code or enter a period for blank.
- State or Province Name: Enter anything or enter a period for blank.
- Locality Name: Enter anything or enter a period for blank.
- Organization Name: Enter anything or enter a period for blank.
- Organization Unit Name: Enter anything or enter a period for blank.
- Common Name: See table below to determine what to use for Common Name.
- Email Address: Enter anything or enter a period for blank.
- A Challenge Password: Enter anything or enter a period for blank. Make sure to note the password if you enter one.
Connection Method | Common Name |
---|---|
IoT Hub DPS Enrollment Group | Any unique identifier. This will become the Azure Device ID. |
IoT Central Individual Enrollment | The Device ID that was assigned to the device when it was created in the Iot Central Application |
IoT Central Enrollment Group | Any unique identifier. This will become the Azure Device ID within the IoT Central Application. |
Run the following command to sign the CSR using the X.509 root certificate and root private key (enforcing SHA-256):
openssl x509 -req -days 365 -in device.csr -CA root-cert.pem -CAkey root-private-key.pem -CAcreateserial -out device.crt -sha256
If the operation was successful you should see an output similar to:
Signature ok
subject=/CN=eurotechtestdevice
Getting CA Private Key
The two files to use on the device are:
- device.crt
- device-private-key.pem
Updated about 1 year ago