question

BrianWilless-4902 avatar image
0 Votes"
BrianWilless-4902 asked ImranBhadelia-6395 commented

Azure Sphere Authentication Certificate CN == Deice ID?

@ImranBhadelia-6395 and I have a question about the Azure Sphere Authentication Certificate. This would be the short lived (client certificate that can be presented to any online service )X.509 certificate pushed to the device once it passes the DAA step. The documentation here, specifies that the certificate CN is set to the device's device ID. However CN is limited to 64 characters and the Azure Sphere device ID is >128 characters long.

What is CN set to for the Azure Sphere Authentication x.509 Certificate?

Thanks!


azure-sphere
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BrianWilless-4902 Community SME's on this topic or our team will review your scenario and circle back at the possible earliest time.
Cc: @ChandraNekanti-3683

1 Vote 1 ·
MichalZurek avatar image
0 Votes"
MichalZurek answered

You do not need to generate certificate yourself. Already generated and signegned certificate is stored in your device. Certficaite is signed by Azure Sphere Tenant CA. For using this certificate as authentication method to IoT Hub call iothub_security_init from azure_prov_client/iothub_security_factory.h and then IoTHubDeviceClient_LL_CreateWithAzureSphereFromDeviceAuth for creating IoT Hub client. In IoT Hub you must register your device with device name set to DeviceId. You must also add certificate of your Azure Sphere tenant to IoT Hub for allowing IoT Hub to trust your devices. How to do that is described in https://docs.microsoft.com/en-us/azure-sphere/app-development/setup-iot-hub . DeviceId, device name in IoT Hub and CN of authentication certificate must match.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ImranBhadelia-6395 avatar image
0 Votes"
ImranBhadelia-6395 answered

Hello @MichalZurek

CN of authentication certificate have limitation of 64 char, now Sphere device is is 128 char long. Means Deviceid and CN name are going to be differ, so how authentication will work?

Imran

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matsujirushi avatar image
0 Votes"
matsujirushi answered

You can look client certificate using Wireshark.

100764-image.png
100773-image.png

Which did you want to look the field?



image.png (23.9 KiB)
image.png (22.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ImranBhadelia-6395 avatar image
0 Votes"
ImranBhadelia-6395 answered matsujirushi edited

Subject field. This have CN
101238-certificate.png



certificate.png (14.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @ImranBhadelia-6395 ,

101818-image.png



CN = 961b0f3af5c4ea9581512975f8e21a81dfed93bef7a73854d802c8bdeff7f5a8516639b653e6f082009f5c660c9b96bb1b16f49a56d7de51a089ac01ae3376ec

0 Votes 0 ·
image.png (33.6 KiB)
ImranBhadelia-6395 avatar image
0 Votes"
ImranBhadelia-6395 answered ImranBhadelia-6395 commented

Hi @matsujirushi


As per this link CN name only allow s64 char long and with case of Sphere its 128, wondering as we asked CA Authority to generate device leave certificate having deivceid of 100 char. but due to CN name validation it was failed during leaf certificate generation


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @ImranBhadelia-6395 ,
Why not use a Certificate issued by the DAA?

0 Votes 0 ·

Did not get you DAA?

Basically I need to understand why Sphere allow 128 char long CN..

Imran

0 Votes 0 ·