How to get devices ready for production?

Question

We are launching our solution to production and following this tutorial Prepare to deploy your IoT Edge solution in production

Setting up the production certificates, we have some questions:

1. Are the certificates (as explained here) really necessary if we don't have downstream devices?
2. How is the overhead of setting up X.509 Self-signed authentication worth it? (compared to using Symmetric keys)

Regarding log files, is cleaning docker log files using logrotate relevant? As mentioned here

Answer 1

Hello @Ana Carraca ,

the certificates you reference are used for securing module-to-module communication. This is handled by the EdgeHub module.

Using the same mechanism for downstream devices is optionally but still it's still one of the production preparation steps.

Microsoft provides a 'development and test' certificate which is valid for 90 days.

If you do not replace that temporary certificate, the communication between modules will halt after these 90 days. Notice that a reboot of the device (I'm not sure if a restart of the service/daemon is also ok) will force the creation of a new 90 days certificate...

Conclusion: Are you fine with this 90 days limitation and a warning in 'sudo iotedge check' ?

Regarding Symmetric keys, the certificate mentioned above has nothing to do with device-to-cloud communication.

Though, symmetric keys are theoretically less secure than the used of certficates or TPM for D2C communication.

Finally, log files eat up harddisk space. You Edge device 'crashes' when disk space runs out. So yes, cleaning/reducing logfile size will help you in the end.