question

AzureEktos-2638 avatar image
0 Votes"
AzureEktos-2638 asked azure-cxp-api edited

Maximum ROOT_CA Expiration

Hello
Could you help me with some questions?

What maximum expiration can we set for Root CA cert for IoT Hub?
Does azure IoT hub have any limits in this case ?

azure-iot-hubazure-iot-edge
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AzureEktos-2638 ,
Please share with us if you have any other questions related with your original post. Otherwise could you go ahead and mark the below as answer?

Thank you so much.

Remember:
- Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

0 Votes 0 ·
asergaz avatar image
0 Votes"
asergaz answered

Hello @AzureEktos-2638 ,

There is no hard-rule to set the maximum expiration of your self-signed X509 certificate deployed to Azure IoT Hub. Nevertheless even if the certificate is long-lived, you need to account that it can expire and there needs to be a way to update the certificate on the device.

Sharing some good reading about X509 on Azure IoT Hub:

Remember:
- Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
- Want a reminder to come back and check responses? Here is how to subscribe to a notification.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SatishBoddu-MSFT avatar image
1 Vote"
SatishBoddu-MSFT answered

Hello @AzureEktos-2638 ,

This is a great question.

Does azure IoT hub have any limits in this case ?

Azure IoT Hub accepts the certificate with the set validity.

As Asergaz already said in the initial response, there is no hard rule for the maximum set expiration of the certificate.

What maximum expiration can we set for Root CA cert for IoT Hub?

In the below example\test, I have created a test root CA cert with a validity of 100 years and uploaded it to IoTHub.

108937-image.png

108981-image.png

May we know how many years of validity you are looking for in your scenario?
Root certificates also typically have long periods of validity, compared to intermediate certificates. They will often last for 10 or 20 years, which gives enough time to prepare for when they expire. However, there still can be hiccups in the process of switching to the new root certificate.Ref

Reference:OpenSSL
openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 36500 -out rootCACert.pem

Please do comment in the below section for further help in this matter.





image.png (28.8 KiB)
image.png (17.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.