Invalid CN error when trying to enroll device using IoT Hub Device Provisioning Service

Question

I am trying to register a fake device with Azure IoT DPS. This is my first attempt using the DPS. I have added X.509 self signed certificates for the following and got them verified by Azure using 'proof of possession' technique.

1. The IoT Hub
2. The DPS itself

I am trying to add a leaf certificate for the device. The leaf cert uses the DPS cert as its CA. (Commands used below). I get an error -

The CN (common name) in the primary certificate is invalid.

I read that the device registration id has to be the same as the CN. So somewhere the CN used needs modification or there needs to be a way where I can specify the same registration id as my CNAME.

Can someone help with these questions --

1. Where can device registration id be specified on DPS? Add enrollment page does not have this field. Device id is there, but it is optional field. IF not entered, device id will be set to registration id itself, as per documentation.
2. For a leaf certificate, can CN be any valid common name identifier, or it should contain more details like root CA name etc.? (For the device registration id needs to be alphanumeric, lowercase, may contain hyphens).

Commands used to generate certificates:

makecert -r -pe -n "CN=Sam-DPS.azure-devices-provisioning.net" -cy authority -sky signature -sv Sam-DPS.pvk Sam-DPS.cer

makecert -pe -n "CN=hl1234" -cy end -sky signature -ic Sam-DPS.cer -iv Sam-DPS.pvk -sv hl1234.pvk hl1234.cer

Answer 1

1. Where can device registration id be specified on DPS? Add enrollment page does not have this field. Device id is there, but it is optional field. IF not entered, device id will be set to registration id itself, as per documentation.

You can't specify registration id in Azure portal. For x509, registration id auto from the subject name of the certificate(CN) when you upload a leaf certificate and add an individual enrollment successfully. The device ID is the ID as it appears in IoT Hub. You can use device id created from IoT Hub or leave it empty then it will be assigned to registration id when you registering this device. You will see it in IoT Hub after registering successfully.

2. For a leaf certificate, can CN be any valid common name identifier, or it should contain more details like root CA name etc.? (For the device registration id needs to be alphanumeric, lowercase, may contain hyphens).

The leaf certificate's CN is not needed to relate to root CA. But, because registration id is provided as the subject name of the certificate, so CN need follow rules of registration id:

The registration ID is alphanumeric, lowercase, and may contain hyphens.

I test "hl1234" as device leaf certificate CN, it is valid.

You can check this for creating leaf certificate.