rwatjen / azureiotdpscertificates Goto Github PK

View Code? Open in Web Editor NEW

23.0 3.0 7.0 14 KB

Sample app to create X.509 certificates for Azure IoT Hub Device Provisioning Service

License: MIT License

C# 100.00%

azure-iot x509certificates x509chain azure azure-iot-dps

azureiotdpscertificates's Introduction

Azure IoT Hub DPS Certificates

Sample app to create X.509 certificates for Azure IoT Hub Device Provisioning Service.

This repository contains a .NET Core 2.0 command line app, which can be used to create an X.509 certificate chain and device certificates for use with the Azure IoT Hub Device Provisioning Service.

The code in this repository was developed in my spare time. If you have problems or questions, feel free to add them under Issues, but be prepared to wait for answers. As mentioned, this is a hobby project that I work on in my spare time.

Important notice

If you don't have experience with X.509 certificates, Certificate Authorities, etc. then you should not to build your own CA infrastructure.

The code in this repository is a sample app that fulfills my needs for testing the Azure IoT Hub Device Provisioning Service. It is by no means a replacement for a real X.509 certificate infrastructure.

How to use the sample app

The app is a .NET Core 2.0 Console application. The easiest way to run it is to clone the repository, and open a command prompt in that directory.

There are a number of command line switches. See the usage by running

dotnet run -- --help

Usage: RW.DPSCertificateTool [command]

Commands:
  createcertchain
  createdevicecert
  createverificationcert

Run 'RW.DPSCertificateTool [command] --help' for more information about a command.

If you want to create a new certificate authority chain with a number of intermediates, run

dotnet run -- createcertchain --help

This will output the options that are available for that operation:

Usage: RW.DPSCertificateTool createcertchain [options]

Options:
  -?|-h|--help  Show help information
  -s            The generated root CA's certificate subject name. This will also be the base of the generated filenames.
  -p            The password of the PFX file(s) that are output.
  -i            The number of intermediate CAs to create in a chain.

In general, you can add --help to all the operations to see their options.

To create a new Root CA and an intermediate chain run

dotnet run -- createcertchain -s "My cool CA" -p securepassword -i 5

This will create a root CA with the subject "My cool CA", where the private key is protected with the password "securepassword", and there will be 5 intermediate CAs. The intermediate CA's passwords are also "securepassword".

The command has generated these files in the current directory:

10-04-2018  22:15             1.563 Intermediate 1.pfx
10-04-2018  22:15             2.107 Intermediate 2.pfx
10-04-2018  22:15             2.659 Intermediate 3.pfx
10-04-2018  22:15             3.203 Intermediate 4.pfx
10-04-2018  22:15             3.755 Intermediate 5.pfx
10-04-2018  22:15               414 My cool CA.cer
10-04-2018  22:15             1.027 My cool CA.pfx

IoT Hub DPS Verification certificate

You can use the generated "My cool CA.cer" file for the IoT Hub DPS. After uploading it, you must verify that you can actually create certificates signed by that root CA.

The Azure portal will present a verification code. That must be the subject of a new leaf/device certificate that has been signed by the root CA.

This tool will let you create a verification certificate with the command line

dotnet run -- createverificationcert -s "<long verification ID>" -c "My cool CA.pfx" -p "securepassword"

Don't just copy/paste the above. The certificate subject must also be a valid DNS name. Use the verification ID from the portal from your DPS instance.

After loading the Root CA PFX file, the tool will output a new .cer file named after the verification ID.

That .cer file must be uploaded to the Azure Portal to verify you ownership of the root CA certificate.

IoT Hub DPS device certificate

It's also possible to create device certificates.

Since one of the purposes of my testing was to use an intermediate CA to issue device certificates, you can pass any PFX file containg a CA certificate on the command line when creating a device certificate:

dotnet run -- createdevicecert -s "mydevicecert" -p "mysecuredevicepassword" -c "Intermediate 5.pfx" -q "securepassword"

Note that you need to pass both a password for the newly created "mydevicecert" certificate as well as the password to open the PFX file.

This command creates a file called mydevicecert.pfx, which can be used when connecting to IoT Hub DPS. The PFX file will contain a private and public key for the device, as well as the public parts of the intermediates and root in the entire chain of trust.

azureiotdpscertificates's People

Contributors

Stargazers

Watchers

Forkers

wasseresser karayakar rakeshrinku109 chewcw billbaird athlete1 cyrus-sushiant

azureiotdpscertificates's Issues

Way to export punblic and private PEM files?

Sorry for raising this as issue
With this code I get pfx file and I am trying to export Public and Private pem files from it
For Public Pem:
X509Certificate2.xport(X509ContentType.Cert) => get public pem in bytes

For Private Pem:
var ecdsa = ECDsa.Create("ECDsa");
ecdsa.ExportECPrivateKey(); == To get private key in bytes
But this method is in .Net 3.0 Core preview

Could you please let me know - If you know a way to get this with .Net 2.2 ?

Issue with iothub_ll_client_x509_sample on Ubuntu 18.04 64-bit machine IoT SDKs

Could build azure-iot-'C'-sdk along with the samples bundled with the sdk, but, ran into an issue while attempting to exectute iothub_ll_client_x509_sample under iothub_client samples.

connection string has been set with our x509 iothub connection string appropriately along with x509 certificate and private key using the device_ll_handle returned by IoTHubDeviceClient_LL_CreateFromConnectionString() as follows:

IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_X509_CERT, x509certificate);
IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_X509_PRIVATE_KEY, x509privatekey);

Upon executing iothub_ll_client_x509_sample, I get the following errors:

Creating IoTHub handle
Sending message 1 to IoTHub
Error: Time:Mon Sep 9 12:00:24 2019 File:/home/administrator/Documents/docker/iot-agent/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:29 Failure creating private key evp_key
Error: Time:Mon Sep 9 12:00:24 2019 File:/home/administrator/Documents/docker/iot-agent/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:36 [0] error:0908F070:PEM routines:get_header_and_data:short header
Error: Time:Mon Sep 9 12:00:24 2019 File:/home/administrator/Documents/docker/iot-agent/azure-iot-sdk-c/c-utility/adapters/tlsio_openssl.c Func:log_ERR_get_error Line:428 unable to use x509 authentication
Error: Time:Mon Sep 9 12:00:24 2019 File:/home/administrator/Documents/docker/iot-agent/azure-iot-sdk-c/c-utility/adapters/tlsio_openssl.c Func:tlsio_openssl_open Line:1253 Failed creating the OpenSSL instance.
Error: Time:Mon Sep 9 12:00:24 2019 File:/home/administrator/Documents/docker/iot-agent/azure-iot-sdk-c/umqtt/src/mqtt_client.c Func:mqtt_client_connect Line:1005 Error: io_open failed
Error: Time:Mon Sep 9 12:00:24 2019 File:/home/administrator/Documents/docker/iot-agent/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:SendMqttConnectMsg Line:2262 failure connecting to address iot-hub-dev-north-europe-1.azure-devices.net.

Would anyone please suggest on what might possibley be causing these errors and how to resolve them?
For what it's worth, this issue is not observed on Windows 10 machine.

NullReferenceException in CertificateUtil

The call
dotnet run -- createcertchain -s "My CA" -p mypassword -i 3
results in the following Runtime error:

Unhandled Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.NullReferenceException: Object reference not set to an instance of an object.
at RW.DPSCertificateTool.CertificateUtil.CreateCaCertificate(String subjectName, String certificatePassword, X509Certificate2 issuingCa) in C:\source\local\AzureIoTDPSCertificates-master\AzureIoTDPSCertificates-master\src\DPSCertificateTool\CertificateUtil.cs:line 73
at RW.DPSCertificateTool.CreateCertChain.OnExecute() in C:\source\local\AzureIoTDPSCertificates-master\AzureIoTDPSCertificates-master\src\DPSCertificateTool\CreateCertChain.cs:

Service Error 401002 CA certificate not found error

Hello,

I executed following steps

Create CA certificate using create cert chain.
Uploaded CA certificate to certificates section under DPS.
Generated verification code.
Generated verification certificate using verification code as common name using createverificationcert
uploaded verification certificate and verified successfully.
6)created group enrollment with Root certificate.
7)generated device specif pfx using createdevicecert
8)tried to provision device using device specific certificate it throws Service Error $01002 Certificate not found (.Net Simulated device)

rwatjen / azureiotdpscertificates Goto Github PK

azureiotdpscertificates's Introduction

Azure IoT Hub DPS Certificates

Further reading

Important notice

How to use the sample app

IoT Hub DPS Verification certificate

IoT Hub DPS device certificate

azureiotdpscertificates's People

Contributors

Stargazers

Watchers

Forkers

azureiotdpscertificates's Issues

Way to export punblic and private PEM files?

Issue with iothub_ll_client_x509_sample on Ubuntu 18.04 64-bit machine IoT SDKs

NullReferenceException in CertificateUtil

Service Error 401002 CA certificate not found error

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent