I have been using Device Provisioning Service to provision the device using device/leaf certificate that is signed by CA Authority. The DPS(Device Provisioning Service) service registers device in assigned Iothub.
I noticed that the thumbprint in IotHub for this device is different than the thumbprint in the cert provided to the DPS(device cert). I wanted to check and see if anyone knows how DPS creates these thumbprint?
It also looks like if the device uses another/different certificate signed by the same CA to connect to Iothub, they can do that without any issue. Is there a setting that checks for individual thumbprint or is the authentication only based on possession of cert that was signed by the same CA as in DPS?
Your help is much appreciated.
When you use a CA signed certificate with DPS the DPS will add your device to the IoT hub using self-signed authentication. However, it uses an SHA256 fingerprint rather than the SHA1 that you are likely used to. You can view the SHA256 fingerprint with OpenSSL using the command:
openssl x509 -noout -text -in <yourcert.pem> -fingerprint -sha256
The IoT hub will try both the SHA1 fingerprint and the SHA256 fingerprint thus it works.