• State Not Answered
  • Replies 4 replies
  • Subscribers 65 subscribers
  • Views 1487 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 258667
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Create Azure IoT Hub certificates

cvt1982

Hi,

I have been struggling with this for 2 days now, and I cannot get my head around the problem.

I want to send data from my nrf9160-dk to Azure IoT Hub via the sample application: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/azure_iot_hub/README.html 

From this guide it is explained how to provision the nrf9160-dk to Azure IoT Hub: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/include/net/azure_iot_hub.html 

First I tried to create my own self-signed certificates with this tool: https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md

I can upload the certificates to Azure and I can get them verified 

I have then created a new device called nrf9160 

As part of the certificate creator tool (https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md) I also make a "leaf" device where I type in the device name (nrf9160). This creates private key and device certificate. This is uploaded to the nrf9160-dk   

The security tag is set to 10.

I then configure my prj.conf file 

CONFIG_AZURE_IOT_HUB_DEVICE_ID = "nrf9160"
CONFIG_AZURE_IOT_HUB_HOSTNAME = "azure hostname"
CONFIG_AZURE_IOT_HUB_SEC_TAG = 10
I compile and uploade... and when the application runs I get:
I can see from the provisioning page (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/include/net/azure_iot_hub.html) that you say the root CA must be "Baltimore CyberTrust Root certificate" and that I then have to create my own private key and device certificate... but how it this done????
I have tried to hack the "certGen.sh" script but I also have to provide a key for the root CA.
I'm by no means a security expert, and I'm lost in how to create the correct certificates and private keys.
I would appreciate if you could tell me how to use the root certificate to create the private keys and device certificates.
Please advice with the openssl commands. Remember that Azure require "CN=" subjects!
I don't want to point any fingers but your "provisioning-of-the-certificates" (for a novice like me) is missing those basic steps to create the proper certificates.
  • 0

    Hi Carsten, 

    I see what you mean. This does not look like a straight forward process, and note that this sample is on our master branch, which can be somewhat unstable/not fully tested. I have not tested this sample before, let me test it here and see if I can get through it. If I'm not able to get it working I will discuss with the developer.

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Hi Øyvind,

    Any news on the topic?

    BR,

    Carsten

  • 0 in reply to cvt1982

    Hi Carsten, 

    Yes, I have gotten some feedback, that I hope will help. First of all our developers see that the documentation needs to be rewritten.

    Further more, I got this:

    • From the screenshot it looks like the CA cert is wrong, it should be Baltimore CyberTrust Roort CA
    • Baltimore shall not be uploaded to Azure IoT Hub
    • After running the scripts in the guide the customer mentions, only the generated root certificate (for testing and dev only) must be uploaded and verified. It looks like the customer has succeeded doiung that.
    • If the customer has gone through all the steps in the guide, these certificates and keys should be provisioned:
      • CA certificate: Baltimore CyberTrust Root CA
      • Client certificate: certs/new-device.cert.pem
      • Private key: private/new-device.key.pem
  • 0 in reply to Øyvind

    Hi Øyvind

    I still don't get the overall picture of the Baltimore CyberTrust Root CA, and that we then have a self-signed certificate that is verified through Azure - and which is then used to create a client certificate and private key.

    For instance you and Azure again and again say that the certGen.sh tool is not for production but only testing, but nowhere I see a step by step guide to doing the certGen.sh steps for a production. This would be nice to add to your description to help developers and companies to make secure products.

    All that said the inputs from your developer gave some clear sight. So I was finally able to successfully connect to Azure.

    As you can see below I get telemetry telegrams sent to Azure:

    The telemetry can be seen in the Azure IoT Explorer

    And in the same way I'm able to send direct messages to lite the led on the board

    I might add some extra inputs for the incident over the coming days to give other the step-by-step guide to do what I just did... maybe something you can add to the general description (up to you).

Related