Azure-docs: IoT Edge certificate rolling

@fgheysels Thank you for bringing this scenario to our attention. Have you seen the following document: How to roll X.509 device certificates which discusses certificate management.
There is also X.509 device management for DPS: Quickstart: Enroll X.509 devices to the Device Provisioning Service using Java. Please ensure to be aware that there is a specific runtime depending on your specific requirements (Java, C#, Node.js, or Python). I provided the java link.

Please let me know if you have additional questions regarding this topic.

Hi @Mike-Ubezzi-MSFT , thanks for the response.

I've read the 'how to roll device certificates', but in that article certificates are rolled via DPS with x509 attestation. I'm also using DPS but I'm using TPM attestation instead, so I do not know if we can roll certificates with DPS in that scenario as well.

(I'm using C# btw).

@fgheysels They are two separate things - edge device identity (in this case using TPM) and edgeHub server cert so that module and downstream devices can connect locally. Rolling DPS certs currently is separate from edgeHub certificate management so won't help.

Ok, good to confirm that those are separate things. However, there's no real guidance on how to roll edgeHub certificates on the devices, is there ?

@fgheysels The production certificate is to bring/manage your own. So the mechanism to roll them is specific to your process and there is no generic guidance.

Just to understand, Is the motivation to improve security or prevent certs expiring in production?

@AshokPeddakotla-MSFT
We're currently in a test phase where we have edge gateways that still use the 'built in' certificates that are installed when installing iotedge. For some of those gateways, the certificate has expired and the gateway is no longer connecting to IoT Hub.
The idea would be that we -when going to production- use custom certificates. However, when using our own certificates, the problem that w're facing now remains. Sooner or later, the certificate expires and we'll need to update them.

Unfortunately, you have to manage/update the production certificates.

I've gone through this document, where it is described that you need to install production certificates on the device.
However, what must be done on the IoT Hub side ? I can imagine that the root certificate of the certs that are installed on the device must be known by iot hub ?

@fgheysels The certs referenced in the linked doc is for establishing trust between IoT Edge Hub and modules/downstream devices. They have nothing do with device identity, so IoT Hub doesn't know or care about them.

We hope that address your queries. Do let us know if you have further questions.

@fgheysels The certs referenced in the linked doc is for establishing trust between IoT Edge Hub and modules/downstream devices. They have nothing do with device identity, so IoT Hub doesn't know or care about them.

Ok clear.
However, since communication from iot edge to IoT Hub is done over TLS/SSL, there must be something that establishes this secure transport layer ? This is done via certificates as well ?

Hello @fgheysels ,
Please allow me to point you to other article that I would strongly recommend you to read (as well as the other docs it points to):

• https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-deployment

You can also refer to the TLS specification for details, for example: RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2.

However, since communication from iot edge to IoT Hub is done over TLS/SSL, there must be something that establishes this secure transport layer ? This is done via certificates as well ?

You are absolutely right, you cannot connect to IoTHub if not using TLS Based Handshake and Encryption. [From above doc]: "While establishing a secure TLS connection with IoT Hub, the IoT device authenticates IoT Hub using a root certificate that is part of the device SDK. " - IoT edge uses C# device SDK to connect to IoTHub. The _root certificate that is part of the device SDK_ (A) is for eg: _DigiCert Baltimore Root_ (see it here) and has nothing to do with what is mentioned on the Prepare to deploy your IoT Edge solution in production doc: "Every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it." (B)

The (A) is used to validate that you are "really" talking with the IoTHub and the (B) is used to authenticate your modules\downstream devices. There is a third (C) certificate which relates with the provisioning of your IoTEdge device when using an X509 cert (this is when you select X509 on your DPS enrollment as described here). Even if you selected Symmetric Key as the mechanism on your DPS you would still need cert (A) to establish the TLS connection to IoTHub.

Nevertheless, all three will expire or may need to be revoked (due to security breach for eg.)! As already mentioned this article describes How to roll X.509 device certificates and according to what you are trying to achieve:

• To Roll the certificates (A) (B) or (C) on the device - "you're managing your own device certificates, you'll have to build your own pipeline for updating certificates."
• To Roll the certificate in the IoT hub you can follow the article above and you just need to worry about certificate (C).

Hope I could clarify some points. Let us know if we answered all your questions? Thank you so much for your feedback once again!

@fgheysels since we have not heard back from you we will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

@asergaz Thanks for the clear explanation how everything is used.

Just one additional question: in the documents you provided, it stated that you need to "Reprovision the device" where the first method indicates to handle a "unauthorized" error. I can see how you can do this when building a device but how do you perform this if you are using the IoT Edge Runtime? Do you need to develop a new module or is this automatically done by the IoT Edge security daemon?