Creating Additional Types of Certificates for Azure IoT

Overview

This section explains how to create additional types of certificates for connecting to Azure including verification certificates and device certificates for use on the gateways.

🚧

This page is intended to be used when directed by the Azure IoT Connection instructions.

This page is not meant as a stand-alone guide to general purpose certificate generation.

Verification Certificates

Prerequisites

You should have already created a root certificate and private key, uploaded it to the Azure Portal, and generated a verification code.

You will need:

  • The root certificate file
  • The private key file
  • The verification code

Generating the Verification Certificate

Run the following command to generate a verification key (this is different from the verification code generated in Azure).

openssl genrsa -out verification.key 2048

Run the following command to create a verification certificate.

openssl req -new -key verification.key -out verification.csr

Enter the following information when prompted. You may leave all fields except Common Name blank by entering a period into the field. The Common Name field must be the verification code from the Azure Portal.

Configuration Fields:

  • Country Name: Enter any 2 letter code or enter a period for blank.
  • State or Province Name: Enter anything or enter a period for blank.
  • Locality Name: Enter anything or enter a period for blank.
  • Organization Name: Enter anything or enter a period for blank.
  • Organization Unit Name: Enter anything or enter a period for blank.
  • Common Name: Enter the verification code from the Azure Portal.
  • Email Address: Enter anything or enter a period for blank.
  • A Challenge Password: Enter anything or enter a period for blank. Make sure to note the password if you enter one.

Run the following command to create a proof of possession certificate and sign your verification.csr with the root private key you previously created.

openssl x509 -req -in verification.csr -CA root-cert.pem -CAkey root-private-key.pem -CAcreateserial -out verificationCert.pem -days 365 -sha256

This will create a verificationCert.pem. This is your verification certificate (the proof of possession for your Public Key Certificate). It is valid for 365 days.

Device Certificates

In this section you will create a CA-Signed CSR and Private Key for use on devices.

Prerequisites

You should have already created a root certificate and private key, uploaded it to the Azure Portal, and verified it.

Generating the Device Certificates

Run the following command to create the CSR and device private key.

openssl req -out device.csr -new -newkey rsa:2048 -nodes -keyout device-private-key.pem

Enter the following information when prompted. You may leave all fields except Common Name blank by entering a period into the field.

Configuration Fields:

  • Country Name: Enter any 2 letter code or enter a period for blank.
  • State or Province Name: Enter anything or enter a period for blank.
  • Locality Name: Enter anything or enter a period for blank.
  • Organization Name: Enter anything or enter a period for blank.
  • Organization Unit Name: Enter anything or enter a period for blank.
  • Common Name: See table below to determine what to use for Common Name.
  • Email Address: Enter anything or enter a period for blank.
  • A Challenge Password: Enter anything or enter a period for blank. Make sure to note the password if you enter one.
Connection MethodCommon Name
IoT Hub DPS Enrollment GroupAny unique identifier. This will become the Azure Device ID.
IoT Central Individual EnrollmentThe Device ID that was assigned to the device when it was created in the Iot Central Application
IoT Central Enrollment GroupAny unique identifier. This will become the Azure Device ID within the IoT Central Application.

Run the following command to sign the CSR using the X.509 root certificate and root private key (enforcing SHA-256):

openssl x509 -req -days 365 -in device.csr -CA root-cert.pem -CAkey root-private-key.pem -CAcreateserial -out device.crt -sha256

If the operation was successful you should see an output similar to:

Signature ok
subject=/CN=eurotechtestdevice
Getting CA Private Key

The two files to use on the device are:

  • device.crt
  • device-private-key.pem