I am trying to understand the process of certificate generation for the onboarding process of my devices. Especially with the future of "mass production" in mind. I understand that for such a scenario it is wise to make use of the azure iot hub dps.
I managed to complete all steps and have a success on that with the documentation on: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/networking/azure_iot_hub.html
Now; my two questions:
1. what is the DigiCertGlobalRootG2 certificate used for?
2. In "mass production", would each new device have to be hooked up to a computer and should that computer let the modem create a certificate, sign that certificate and store it using nrfcredstore? Or would it be sufficient to store a single credential file on the nrf?
I have tried to do a bit more manual certificate creation to understand the deeper layers here;
### Root 1. openssl genrsa -out rootCA.key 2048 2. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem ### Device: 3. openssl genrsa -out device.key 2048 4. openssl req -new -key device.key -out device.csr -subj "/CN=<device uuid>" 5. openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 ### Azure 6. az iot dps certificate create --dps-name <dps-name> --resource-group <rg> --certificate-name root-ca --path rootCA.pem - etag: <etag 1> 7. az iot dps certificate generate-verification-code --dps-name <dps-name> --resource-group <rg> --certificate-name root-ca --etag "<etag 1>" - code: <verification code> - etag: <etag 2> 8. openssl req -new -key rootCA.key -out verification.csr -subj "/CN=<verification code>" 9. openssl x509 -req -in verification.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 1 -sha256 10. az iot dps certificate verify --dps-name <dps name> --resource-group <rg> --certificate-name root-ca --path verificationCert.pem --etag "<etag 2>" 11. az iot dps enrollment-group create --dps-name <dps name> --resource-group <rg> --enrollment-id <enrollment-gr-id> --certificate-path rootCA.pem --provisioning-status enabled --iot-hubs <iot hub url> --allocation-policy static 12. cat device.crt rootCA.pem > device_fullchain.pem - nrfcredstore COM15 write 56 CLIENT_CERT device_fullchain.pem - nrfcredstore COM15 write 56 CLIENT_KEY device.key - nrfcredstore COM15 write 56 ROOT_CA_CERT DigiCertGlobalRootG2.crt.pem
Unfortunately, I get error messages doing this:
[00:00:04.557,495] <err> azure_iot_hub_dps: Connection was rejected with return code 5
[00:00:04.557,495] <wrn> azure_iot_hub_dps: Is the device certificate valid?
[00:00:04.557,556] <err> mqtt_helper: Library is in the wrong state (MQTT_STATE_DISCONNECTED), MQTT_STATE_CONNECTED required
[00:00:04.557,586] <err> azure_iot_hub_dps: Failed to disconnect gracefully, error: -95
[00:00:04.557,617] <err> azure_iot_hub_dps: There was a failure during DPS registration, process is stopped
[00:00:04.557,617] <inf> azure_iot_hub_sample: DPS registration status: AZURE_IOT_HUB_DPS_REG_STATUS_FAILED
[00:00:04.557,647] <err> azure_iot_hub_sample: Failed to run DPS, error: -14, terminating connection attempt
[00:00:04.558,441] <err> mqtt_helper: Cloud MQTT input error: -111
Any feedback on the certificate creation steps that I performed, what am I missing and the parts that I miss, what are they doing?
