Hi I've been trying to follow instructions and examples from the DPS documentation 1 to implement provisioning using x.509 certificates. Both on the documentation here, and in ESP's instructions 2 , the instructions are good and concise regarding individual enrollment. Group enrollment however isn't particularly well described on the device side. For the individual enrollment, creating root- and leaf-certificates using ESP's instructions work well for both simulated and physical devices. Which certificates to use for group enrollment, how to generate sample certificates and where to implement them I cannot find any clear answers to. As far as I've managed to understand, group enrollment is based on a root- or intermediate certificate to create a device certificate, but how does one achieve this? And must this be done for each device? Is there any way to build a single firmware with a single certificate included and simply provision with a device name generated upon first boot? As an absolute beginner in the world of provisioning and certificates, I hope someone will be able to provide a set of concise explanations and instructions which may ease my confusion.

Which certificates to use for group enrollment, how to generate sample certificates and where to implement them I cannot find any clear answers to. Use the following Certificate Overview to create your test certificates. As far as I've managed to understand, group enrollment is based on a root- or intermediate certificate to create a device certificate, but how does one achieve this? And must this be done for each device? Is there any way to build a single firmware with a single certificate included and simply provision with a device name generated upon first boot? See IoT Hub Device Provisioning Service concepts#enrollment At device side you shouldn't need to change your code to be able to provision using group enrollment. You may need to have the entire certificate chain on your device to successfully provision: Sign Devices into a Certificate Chain of Trust See also: Controlling device access to the provisioning service with X.509 certificates I hope this can help you get started. Let me know if you have more questions? Otherwise please mark it as answer :). Thanks!

How to implement IoT DPS x509 on device

Accepted answer

António Sérgio Azevedo 7,661 Reputation points Microsoft Employee

2020-06-15T11:50:37.11+00:00

Which certificates to use for group enrollment, how to generate sample certificates and where to implement them I cannot find any clear answers to.

Use the following Certificate Overview to create your test certificates.

As far as I've managed to understand, group enrollment is based on a root- or intermediate certificate to create a device certificate, but how does one achieve this? And must this be done for each device? Is there any way to build a single firmware with a single certificate included and simply provision with a device name generated upon first boot?

See IoT Hub Device Provisioning Service concepts#enrollment

At device side you shouldn't need to change your code to be able to provision using group enrollment. You may need to have the entire certificate chain on your device to successfully provision: Sign Devices into a Certificate Chain of Trust

See also: Controlling device access to the provisioning service with X.509 certificates

I hope this can help you get started. Let me know if you have more questions? Otherwise please mark it as answer :).

Thanks!
Please sign in to rate this answer.
Robin Gjølstad 31 Reputation points

2020-06-15T13:52:48.33+00:00

I've read all the documentation you've linked, yes, but thanks for providing it in case I'd missed anything.

You may need to have the entire certificate chain on your device

I suspected that I may need to do something like that. Let me summarize my understanding to see if I've misunderstood or not.

A root certificate-key pair is generated or issued from someone.

A intermediate private key is generated by someone else in the supply chain. They issue a CSR, and receive a certificate back.

Several intermediate key-certificates may be generated though the chain.

A the end, each device will receive a final set of a private key and a signed certificate. This set is used by all devices from that batch/factory/supply chain.

Each device uses that same key-certificate pair to generate its own individual certificate which is used to enroll to the DPS/IoT Hub.

Does that sound roughly correct? Or have I misunderstood something?

António Sérgio Azevedo 7,661 Reputation points Microsoft Employee

2020-06-16T08:49:10.157+00:00

@Robin Gjølstad yes you are capturing the steps needed very well :).

Let me add other terms:

on the device you will have what we call as the "leaf" certificate (aka device certificate). What I meant by "you may need to have the entire certificate chain on your device" is that, in order to successfully authenticate, the leaf certificate needs to include all the certificates belonging to the chain, up to the one that is deployed on your DPS Group Enrollment. The leaf certificate is not used to sign any other certificates.

From here: When an X.509 CA signed device connects, it uploads its certificate chain for validation. The chain includes all intermediate CA and device certificates.

Robin Gjølstad 31 Reputation points

2020-06-16T13:41:07.703+00:00

Ah, so that was what you meant.

In general, how are those leaf certificates generated?
Are they pre-generated and then uploaded to the device in parallel with the firmware? Or are they generated on-device with a common certificate-key pair?

Implementing firmware for something one hasn't encountered before turns out to be quite challenging when most guides seem to assume that these things are well known

António Sérgio Azevedo 7,661 Reputation points Microsoft Employee

2020-06-18T07:18:04.997+00:00

@Robin Gjølstad I hear you. The journey of setting up a device and ensuring a secure connection all up to the cloud is huge. In the Device Cycle you have different personas and the ones responsible to add a certificate on the firmware of your device are OEMs (usually very familiar with the X509 process).

Are they pre-generated and then uploaded to the device in parallel with the firmware?

Yes. See the example of Set up an Azure IoT Hub for Azure Sphere. You will notice that the device is connected via USB to your laptop so that you can register it to a tenant that in turns creates your device's certificate and stores it on the chip (helped by Azure Sphere Security Service). See also the seven properties of highly secured devices.

António Sérgio Azevedo 7,661 Reputation points Microsoft Employee

2020-06-23T00:51:14.087+00:00

@Robin Gjølstad do you have further questions? If I was able to help you please mark it as answer so others can learn as well. Thanks!

António Sérgio Azevedo 7,661 Reputation points Microsoft Employee

2020-06-26T11:59:40.33+00:00

@Robin Gjølstad kind reminder if you have further questions let us know. otherwise please mark as answer. Thank you!

Robin Gjølstad 31 Reputation points

2020-06-26T12:28:49.423+00:00

Thank you for the reminder. Been somewhat preoccupied with another project.

Thanks for explaining these things for me.
Unfortunately this means that there is no simple way to "manually" do group enrollments on a handful devices without manually generating a separate certificate for each device. Perhaps writing a script to take care of it all is a possibility.
Sign in to comment

How to implement IoT DPS x509 on device

0 additional answers