I am following the Device Provisioning Example for the MXChip IoT DevKit at Azure MXChip IoT DevKit DPS and have a question regarding X.509 certificates.
When I follow the sample everything works correctly. However, when I change the code on the device and upload the modified code I am getting the following error:
{"errorCode":401002,"trackingId":"3f308efd-9274-4a7a-8994-56781ce87942","message":"Invalid certificate.","timestampUtc":"2020-06-18T00:29:58.411225Z"}
Upon further investigation it looks like I have to create a new X.509 certificate each time I change the code. Is this proper behavior? I cannot seem to find any explanation for this and was hoping someone could give me info on the reason for the error. I'm guessing it does CRC checks (or similar) between the code and the certificate to validate the code hasn't been tampered with.
Can someone please verify this? Thanks.
This is the response from Microsoft/azure-iot-developer-kit Gitter forum.
Yes, the certificate that the MXChip presents to DPS/IoT Hub is effectively the signature of the actual binary, using the unique device secret as the key for signing. Therefore, everytime the binary code changes you will want to re-run the command line tool that can simulate the certificate that MXChip will automatically generate on the fly, and configure this cert in your DPS enrollment.