Azure Question posted in
The official documentation to get you started can be found here.

Questions regarding X509 certificate authentication in Azure IotHub

I have been using Device Provisioning Service to provision the device using device/leaf certificate that is signed by CA Authority. The DPS(Device Provisioning Service) service registers device in assigned Iothub.

I noticed that the thumbprint in IotHub for this device is different than the thumbprint in the cert provided to the DPS(device cert). I wanted to check and see if anyone knows how DPS creates these thumbprint?

It also looks like if the device uses another/different certificate signed by the same CA to connect to Iothub, they can do that without any issue. Is there a setting that checks for individual thumbprint or is the authentication only based on possession of cert that was signed by the same CA as in DPS?

Your help is much appreciated.

Tags:

2

Answers


  1. 0

    A thumbprint, also known as a fingerprint or hash, is a unique value derived from a certificate’s contents. It is commonly used to identify certificates and verify their integrity. The thumbprint is typically generated using a cryptographic hash function.

    • DPS likely extracts and stores a different format of the thumbprint than what’s present in the device certificate. This could be due to variations in hashing algorithms or the specific fields used for calculating the thumbprint.
    • You can verify this by using the same hashing algorithm and fields on the device certificate to generate the thumbprint and compare it with the one displayed in IoT Hub.
    • Yes, a device can use a different certificate signed by the same CA to connect to IoT Hub/DPS but the certificate is registered with the same IoT Hub/DPS and The device possesses the private key with the certificate.
    • Steps to Provision an X.509 certificate simulated device from DOC
    • Add the IOT hub to Linked IoT hubs
      enter image description here
    • Create a device enrollment.
      enter image description here

    The code was taken from git.

    enter image description here

    Login or Signup to reply.
  2. 0

    When you use a CA signed certificate with DPS the DPS will add your device to the IoT hub using self-signed authentication. However, it uses an SHA256 fingerprint rather than the SHA1 that you are likely used to.
    You can view the SHA256 fingerprint with OpenSSL using the command:

    openssl x509 -noout -text -in <yourcert.pem> -fingerprint -sha256

    The IoT hub will try both the SHA1 fingerprint and the SHA256 fingerprint thus it works.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search