• State Not Answered
  • Replies 5 replies
  • Subscribers 65 subscribers
  • Views 152 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 326100
Options

nrf9160 Azure IoT Hub with DPS (share certificates)

tkeilbach

Hi everyone,

we are currently developing a customer product, which connects to an Azure IoT Hub instance using DPS. We successfully tested this connection (over MQTT, TLS, X509) and it works so far. But along the developent there came up an interesting question:

Is it possible to pre-program a set of certificates which is common for all devices (hard code in firmware) ?

If yes, does the device get the individual certificates from the DPS service when it connects the first time?

This procedere would reduce the complexity and overhead in the device production at our partner facility which assembles the pcbs and makes the final tests.

We already did some reasearch on this topic, but we didn't get a clear answer if (and how) this would work. Maybe it works by creating an enrollment group on at the Azure IoT Hub, but then we have to create still individual certificates for each device (which we want to avoid). All guideline and tutorials show how to create those certificates for an individual device, but not (if possible) how to preprogram a shared certificate.

Maybe someone as some knowledge or a advice for us. Did someone already something as described above or is it impossible and we have to create for each new device those individual certificates?

Thanks in advance!

Thomas

  • 0

    Hi,

    It is not possible to have common device certificate. Certificates need to be for individual device. DPS does not send the certificate.

    Best regards,
    Dejan

  • 0

    Hi Dejan,

    thanks for your reply!

    Is there any other way to produce devices without adding individual certificates in production but to have the ability to connect to the Azure IoT Hub (and download the certificates and hub informationen while the device is in field / at the customer)? 

    In general, Azure IoT Hub seems to support a mechanism to get the certificates from the the cloud:

    It uses the "Symmetric Key Exchange", but the questions are:

    1. Does Nordics Implementation of "Azure IoT Hub for embedded C" in nRF Connect SDK supports the symmetric key exchange?
      1. If not, is it limited to connect to the Azure IoT Hub (DPS service) only over TLS / X509 certificates?
      2. If not, would it be possible to add this feature in the library by Nordic / by us?
    2. Is there a documentation for the Azure IoT Hub implemenation? 

    BR

    Thomas

  • 0 in reply to tkeilbach

    Hi Thomas,

    Can you share the link to the Microsoft Azure IoT Hub Learn page where you took the screenshot from?

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi Dejan,

    just talked again with my colleague and he said, he created the diagram by his own based on the knowledge he gained from the Microsoft Azure IoT Hub Learn page and tested the setup with a python script. So this is no original Microsoft picture.

    Lets take one step back and let me summerize what we want to archive:

    1. Produce the device in the production facility (PCB assembly, download firmware, end test)
    2. Send a bunch of devices to a customer
    3. If the device gets turned on the first time, the device connects 'somehow' to our prepared Azure cloud. If it is a known device (over the IMEI, the cloud knows which IMEI belongs to which customer) it gets everything it needs to connect to the right IoT Hub over a secure connection (TLS). This process must be done only once. If I understood it correctly, the "Device Provision Service (DPS)" is exactly doing this.

    Is there a way to provision the device like described above or is the only possible way to download the certificates already at production time?

    Best regards,

    Thomas

  • 0 in reply to tkeilbach

    Hi Thomas,

    You could read through IoT Hub DPS documentation to check if DPS can be used the way you want (and expect), and that the usage of DPS actually aligns with your security requirements. In addition, you can read more about installing derived device key in Azure documentation. Using symmetric keys for attestation keys does not have support in NCS, but you could potentially consider doing this on your own.

    Best regards,
    Dejan

Related