How do I check Quickstart CA development certificate expiration on IoT Edge 1.4?

Question

Good morning,

 

I had a couple of small questions about IoT Edge. Could you please help me?

• For an Azure VM running Edge 1.4 using Quickstart CA Development certificates, how can I check when the TLS cert (development cert) will expire? In Edge 1.1, "iotedge check" would display the expiration date, but I don't see that in Edge 1.4.
• In Edge 1.1, when "iotedge check" said that a development cert would expire on June 4th, we actually wouldn't notice any problem until June 18th (roughly 14 days or 2 weeks later). Why is that? Did the cert really expire on June 4th or it was still valid until June 18th?

Answer 1

Hello @Sai Allu,

welcome to this moderated Azure forum.

the Azure IoT Edge runtime uses a TLS certificate for securing internal communication.

If you restart the Azure IoT Edge edgeAgent module, and check the logging:

sudo iotedge logs -f edgeAgent

At the start of the new logging session, you will see a line containing the expiration time of the current certificate.

Once the certificate expires, the communication stops.

Luckily, if you still use that development certificate, a new certificate will be created (for another 90 days), and communication will resume again. Until it expires again.

It's recommended to replace the dev certificate with a custom certificate for improved security and 24/7 operation. There is an alternative solution by just editing the config.toml file. Check the side note on this blog post for details.

The case you experienced with 1.1 is not a common behavior.

---

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.