I can't find any instructions on how to connect an IoT device to IoT Hub using X.509 CA cert with C SDK. There is a sample for C# SDK at https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started#register-x509-ca-certificates-to-your-iot-hub. The closest I can get for C-SDK is this API https://learn.microsoft.com/en-us/azure/iot-hub/iot-c-sdk-ref/iothub-device-client-h/iothubdeviceclient-createfromdeviceauth, but it didn't provide any doc on how to use it.
There is a sample code in https://github.com/Azure/azure-iot-sdk-c/tree/a698fa3fe9379b7a51a466e0a6b1fe5042db29c5/provisioning_client/samples/iothub_client_sample_hsm which seems imply on how to use this. But function call to IoTHubDeviceClient_CreateFromDeviceAuth() been comments out.
My goal is the to be able to connect downstream device to IoT Hub using X.509, with Edge been configured as transparent gateway. Since DPS provision to downstream device is not currently supported. downstream device can only connect to IoT Hub either using symmetric key, X.509 self-signed or X5.09 CA signed cert. Symmetric key or X.509 self signed is not an option as it require per device connection string which we are not able to provide in our IoT Device binary. X.509 CA signed cert approach seems works as all our device can preload with the cert, but I can't find any document how to archive this.
From the IoT hub side the language your device is using is irrelevant. Set it up as it suggests and then refer to this sample: https://github.com/Azure/azure-iot-sdk-c/blob/master/iothub_client/samples/iothub_ll_client_x509_sample/iothub_ll_client_x509_sample.c for an X.509 C client.
Related
The IEC 62443-4-2 component requirement CR 1.9 "Strength of public key-based authentication" states:
For components that utilize public-key-based authentication, those
components shall provide directly or integrate into a system that
provides the capability within the same IACS environment to:
…
c) validate certificates by checking a given certificate’s revocation
status;
Which approach is used for certificate revocation for the TLS-encrypted communication with Azure IoT Hub: Online Certificate Status Protocol (OCSP) and/or Certificate Revocation Lists (CRLs)?
Is certificate revocation validation supported in the Azure IoT SDKs?
IoT Hub does not perform certificate revocation checks as of now. You need to explicitly disable devices to prevent them from connecting.
We are building an IoT architecture consisting of a API gateway and other services deployed on the cloud. The server uses a letsencrypt SSL certificate, so it is possible to communicate over SSL with the server. There are a number of hardware devices which send data to the server. We want to use x.509 certificate based communication and authentication from the devices to the server. I have two questions in this regard,
Is it possible to use letsencrypt certificate to generate the x.509 based certificate which can be configured on the device. If yes, what are the steps to do so
Since a letsencrypt certificate expires after 90 days, does it mean that after every 90 days, we will have to renew the certificates on all the devices? If yes, is there any best practice to handle such situations
Unfortunately, Let's Encrypt does not support intermediate certificates, so you wouldn't be able to generate your "own" certificates for your devices.
I have a problem with insecure SSL certificates. My proyect consist on two parts:
ESP32 iot device with a https server
VUE2 + Vuetify PWA web app deployed to firebase hosting.
Imagine that one client buy my iot device, and connect it to the power. The device will boot in AP mode, creating a WiFi AP net.
The client login to the web app and wants to add his new device. So, for that, the iot device needs clients wifi credentials.
The web app asks to the client his ssid and password, and when the client click on 'Configure device', the web app send a https POST request to the esp32 server, and here is the problem...
Because the SSL certificate used in esp32 server is not validated by an authority, the web app can´t make the POST request...
How can I get a valid server SSL certificate for a lot of iot devices? I don´t know how to manage this situation...
Thanks everyone!!
It is possible to get a valid SSL certificate for the device, but I wouldn't recommend it. Here is how you could do it if you wanted to:
Ensure that when your device is in AP mode, it's always available at the exact same IP address. For example, ensure that the ESP32 is listening at 192.168.1.1.
Register a domain like example.com. Add an A record to your DNS server for iot.example.com, with the value 192.168.1.1.
Obtain a valid SSL certificate for iot.example.com from any trusted authority. Put that certificate and associated key on your device.
Now, when your user connects to your soft AP, they can browse to https://iot.example.com and actually see a valid certificate.
However, I would really recommend not doing this. You'll have three major issues to contend with:
The key for your SSL certificate will be on your device's flash. If anyone extracts it, they can masquerade as iot.example.com. You can mitigate this by using flash encryption, but it's still not great.
The maximum validity period for an SSL certificate is around two years. So your provisioning flow will break after a couple years.
If the CA that issued your certificate hears that the private key is floating around and could potentially be compromised, they will probably revoke your certificate.
Instead, what you should do is secure your soft AP with WPA2, and a password that you can give to users. This will ensure that the connection is encrypted, and you can serve your provisioning form over HTTP instead of HTTPS.
An even better approach rather than trying to implement this yourself, is to use the ESP-IDF unified provisioning API. It takes care of the implementation details, and supports both Wi-Fi and Bluetooth as transports.
Regardless of what you decide to do, I'd highly recommend reading the ESP-IDF documentation on unified provisioning and the documentation on Wi-Fi provisioning, since they'll give you an idea of what's going on under the hood and what all is required for a secure implementation. In particular, you'll see that the Wi-Fi provisioning library does actually use a static WPA2 password like I suggested above.
I am looking for device authentication where
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
Each device will have a unique certificate that cannot be transferred to other devices.
A device certificate can be revoked anytime.
To achieve the above, I am planning to have another Service which would issue certificate to devices which is approved to use my service. I will issue the certificate via email to the user where he will install it manually. My users will use browser to access my service.
But I am not sure how would I achieve points 2 and 3.
Can you please guide as to how to achieve this using a self signed certificate?
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
You can use a SSL channel with client authentication or adding a digital signature to your messages
Each device will have a unique certificate that cannot be transferred to other devices.
it is not possible to ensure this using software certificates. If you distribute them by email, the user could install them in several devices.
You could use a hardware token (nfc/bluetooth) or preinstall the certificate in the Android/iOS KeyChain so it would not be extractable. but this complicates the distribution very much.
A device certificate can be revoked anytime.
Check revocation at server side before accepting a request from a client. There are standard protocols to do this ( OCSP, CRL), or use a custom mechanism since you issue them yourself
I'm pretty confused concerning the terminology used by IBM. I'm currently working with Watson IoT and embedded devices using MQTT. As you know, embedded devices sometimes do not have the capability to secure a connection via certificates (former SSL). Watson IoT therefore offers a secure connection (?) called "TLS with authentication token". That's what's confusing me. I learned that for a SSL (now TLS) connection you need to pass certificates to the server. How can you establish a TLS connection just by using/sending a auth token? Or do they just mean the authentication process instead of a secured and encrypted connection?
Thanks in advance and have a nice weekend!
If you're using MQTT, the simplest way to connect your device to the Watson IoT Platform is as follows:
When you register your device, you define (or get given) an authentication token - in effect, a password for that device. You have two main options on how you use this token to connect the device to Watson IoT Platform at orgId.messaging.internetofthings.ibmcloud.com:
Port 1883 (this is non-TLS)
Port 8883/443 (this is TLS)
In both cases the password is used to authenticate your device - but only in the second is the on-the-wire traffic encrypted (which is why we strongly recommend using TLS/port 8883/443 where possible). The encrypted connection is over TLS: Watson IoT Platform presents a certificate to allow your TLS-enabled device to validate the certificate and hence trust it's talking to Watson IoT Platform.
There are further options to build on this. You can configure device certificates (e.g., see here) - but I haven't discussed these as - hopefully! - I'll have answered your question using the simple patterns above. Further details on connecting to the platform are available here.
Links correct at the time of writing