Reputation: 11
Azure IOT SDK C# GroupCertificateVerification not working?
I'm in the process of trying to accomplish a proof of possession for an enrollment group.
I've created a test certificate with the code found here https://github.com/Azure/azure-iot-sdk-csharp/tree/master/provisioning/device/samples/ProvisioningDeviceClientX509
This created a certificate. Assuming this is the correct certificate, so far so good.
Now I need to verify this certificate in the "Certificates" section of the Device Provisioning Service in the portal. According to the documentation I should be able to create a verification certificate with this set of code https://github.com/Azure/azure-iot-sdk-csharp/tree/master/provisioning/service/samples/GroupCertificateVerificationSample
Unfortunately it doesn't work. After some debugging I found out that the code can't find the private key in the provided pfx file and therefore can't produce a verification certificate.
Anyone familiar with this issue and knows how to fix this?
Upvotes: 0
Views: 226
Answers (1)
Reputation: 11
The tool you've pointed to is for self-sign certificate authentication only (Individual Enrollment). The certificate structure for an enrollment group is more complex and requires at least a certificate issuer (CA Root or Issuing Authority) that will sign leaf certificates that are used by the devices.
See https://github.com/Azure/azure-iot-sdk-csharp/tree/master/provisioning/device/samples/ProvisioningDeviceClientX509#using-your-certificates for creating an Enrollment Group certificate.
Use this tool and guide to generate test certificates (we recommend a proper PKI and CSR for production environments): https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md
You can then use either Step 3 in the link above or the tool/sample available here to create the verification certificate: https://github.com/Azure/azure-iot-sdk-csharp/tree/master/provisioning/service/samples/GroupCertificateVerificationSample. This step verifies you are the owner of the root certificate. (For security purposes, you should never upload the PFX or the private keys to Azure.)
The tool in point 1 would have imported the certificate chain into the appropriate stores (use certmgr.msc and look under Trusted Root Certificate Authorities, Intermediate Certification Authorities and the Personal store). If that's not the case, you would need to export a p7b file containing the public portion of the entire chain and supply the public certificate collection (representing the trust chain) to the SecurityProviderX509Certificate second parameter. In production environments we recommend using certificate stores.
Use a leaf PFX when authenticating with the Provisioning service.
Upvotes: 1
Related Questions
- 401002 CA certificate not found - SDK - Microsoft.Azure.Devices.Provisioning.Client
- Microsoft Azure IoT Python SDK Can Successfully Provision but Not Connect with Same Credentials
- Group enrollment in Azure Device Provisoning Service (DPS) not working through REST API: unauthorized 401002
- Azure IoT Hub Unauthorized Access for Additional Devices
- Get Azure IoT Hub Consumer Groups Programmatically Using C# SDK
- Proper configuration of Azure IoT Hub DPS group enrollment with x509
- Azure IoT Hub: "Signing certificate info did not match chain elements"
- Azure IoT failed acces [401 Unauthorised]
- How can I enroll a device to a group enrollment in Azure IOT hub?
- Unable to generate certificates for a device in group enrollements - azure