Search code examples
node.jsazure-iot-hubazure-iot-edgeazure-iot-sdkazure-iot-hub-device-management

Generate production x509 certificate

Trying to implement TPM provisioning for edge devices through nodeJS. https://learn.microsoft.com/en-us/azure/iot-dps/quick-create-simulated-device-x509-node As mentioned able to generate a self-signed certificate for testing purposes. Please help me with, How to generate and validate for the production environment. I am not much clear terminology-wise and looking for starting point to do RD.

Here is a sample code for self-signed certificate validation which is derived from azure-IoT-sdk node JS.

var deviceCert = {
  cert: fs.readFileSync(process.env.CERTIFICATE_FILE).toString(),
  key: fs.readFileSync(process.env.KEY_FILE).toString()
};

var transport = new Transport();
var securityClient = new X509Security(registrationId, deviceCert);
var deviceClient = ProvisioningDeviceClient.create(provisioningHost, idScope, transport, securityClient);
Solution

  • If you look at the source to create_test_cert.js You'll see that the parameters from the tutorial you are using create a self-signed cert. Additionally, the code uses Math.random instead of crypto.randomXXX. This is a red flag for me, but it could be nothing. The article says, "Self-signed certificates are for testing only, and should not be used in production."

    The topic of secure key management is too big to be covered in a stack-overflow answer but from a 50,000 foot view. You want to create a root CA. Most large companies keep these very secure on machines that are not connected to the network or in special hardware fobs. From there you create one or more intermediate certs. A common pattern is an intermediate cert off the root CA for each product, then an intermediate cert off the product cert for each factory that builds the devices. From there, device certs are created from the intermediate factory certs. This way if a third party factory is compromised you can revoke it's cert and reissue without taking down the whole product or company.

    The code for creating the root and intermediate certs is in the script. The only other thing you will want to do is use group enrollment to register the root CA or an intermediate CA with Device Provisioning Service. This way all device keys signed by a key that is registered or has a parent key that is registered with DPS can be provisioned. The code for proof of possession needed for group enrollment is also in the script. I wrote a similar bash script a while back for the C version of the SDK that can be found here, in case that helps at all.