Certificate creation for TLS server

Hi Anitha,

The Certificate creation for the TLS server is managed by cloud servers side like (Azure, AWS). They have tool kits and documents about how to manage CA including self-signed certificates. You can find the following summary I made before to have an overview of TLS certification requirements:

Let me explain the whole picture. In order to make a secure TLS connection between IoT device client(C) and Azure IoT Hub server(S), they need to verify if each other are trustable, so the third-party certification companies provide certification services, your C/S has to install their root CA to get this service.

on the C side, you need:

1. Baltimore CyberTrust Root CA, this root CA is from DigiCert, they provide this certification service for S, so C can use it to confirm S can be trusted.

2. Client Public Certificate, signed by Test Root C. It will be sent to S for trust verification.

3. Client Private Key,  should not be shared with other people.

on the S side, it has:

1. Test Root CA, for test purposes this can be generated by yourself, then you upload it to Azure IoT Hub server and it will think it can be trusted.

2. Azure IoT Hub server Public Certificate, it is signed by Baltimore CyberTrust Root CA from DigiCert and is managed by Azure, you do not need to care. It will be sent to C for trust verification.

3. Azure IoT Hub server Private Key, you do not have access to it.

For real production, the orange part is what you need to concern about. You need to create Client Key key pair(Private and Public keys) through OpenSSL tool, then you need to get a public certificate from CAs like DigiCert instead of Test Root CA set by yourself, they have detailed explanations on how to conduct this process. This article WHAT IS A CA? CERTIFICATE AUTHORITIES EXPLAINED from DigiCert is a good start point. For devolvement purposes, you can use your self-signed certifications created with OpenSSL tool, see Tutorial: Using OpenSSL to create self-signed certificates.

Best regards,

Charlie

Hi Anitha,

The Certificate creation for the TLS server is managed by cloud servers side like (Azure, AWS). They have tool kits and documents about how to manage CA including self-signed certificates. You can find the following summary I made before to have an overview of TLS certification requirements:

Let me explain the whole picture. In order to make a secure TLS connection between IoT device client(C) and Azure IoT Hub server(S), they need to verify if each other are trustable, so the third-party certification companies provide certification services, your C/S has to install their root CA to get this service.

on the C side, you need:

1. Baltimore CyberTrust Root CA, this root CA is from DigiCert, they provide this certification service for S, so C can use it to confirm S can be trusted.

2. Client Public Certificate, signed by Test Root C. It will be sent to S for trust verification.

3. Client Private Key,  should not be shared with other people.

on the S side, it has:

1. Test Root CA, for test purposes this can be generated by yourself, then you upload it to Azure IoT Hub server and it will think it can be trusted.

2. Azure IoT Hub server Public Certificate, it is signed by Baltimore CyberTrust Root CA from DigiCert and is managed by Azure, you do not need to care. It will be sent to C for trust verification.

3. Azure IoT Hub server Private Key, you do not have access to it.

For real production, the orange part is what you need to concern about. You need to create Client Key key pair(Private and Public keys) through OpenSSL tool, then you need to get a public certificate from CAs like DigiCert instead of Test Root CA set by yourself, they have detailed explanations on how to conduct this process. This article WHAT IS A CA? CERTIFICATE AUTHORITIES EXPLAINED from DigiCert is a good start point. For devolvement purposes, you can use your self-signed certifications created with OpenSSL tool, see Tutorial: Using OpenSSL to create self-signed certificates.

Best regards,

Charlie