-
Follow the steps in Building the services to build the services.
-
(Optional) If you want to test the
aziot-keydwith PKCS#11, see Setting up your PKCS#11 library -
Create an Azure IoT Hub and an Azure IoT Device identity in that IoT Hub. Depending on the auth method you choose for the device identity, the services will be configured accordingly later.
-
If the device identity is set to use the
shared_private_keyauth method, retain one of the SAS keys generated by IoT Hub. -
If the device identity is set to use the
x509_thumbprintauth method, create a device ID cert and retain its private key and public X.509 PEM. -
If the device identity is set to use the
x509_caauth method, create a device ID CA cert and retain its private key and public X.509 PEM.
For
x509_thumbprintandx509_ca, you can use hardware-backed private keys for the certs if you're using PKCS#11. -
-
Start
aziot-keydin one shell. See Configuring and runningaziot-keyd -
Start
aziot-certdin another shell. See Configuring and runningaziot-certd -
Start
aziot-identitydin another shell. See Configuring and runningaziot-identityd
IOT_HUB_NAME=example
IOT_DEVICE_ID=example-1
# Certs will be stored here
mkdir -p scratch
cd scratch
# Create self-signed root CA
rm -f \
device-id-root.key.pem \
device-id-root.pem
openssl req \
-x509 \
-newkey rsa:4096 -keyout device-id-root.key.pem -nodes \
-out device-id-root.pem \
-subj '/CN=device-id-root' \
-days 365
# Upload root CA to IoT Hub
az iot hub certificate create \
--hub-name "$IOT_HUB_NAME" --name device-id-root \
--path "$PWD/device-id-root.pem"
# Generate first etag for verification code request
etag="$(
az iot hub certificate show \
--hub-name "$IOT_HUB_NAME" --name device-id-root \
--query etag --output tsv
)"
# Generate verification code and also save new etag
cloud_certificate="$(
az iot hub certificate generate-verification-code \
--hub-name "$IOT_HUB_NAME" --name device-id-root \
--etag "$etag"
)"
etag="$(<<< "$cloud_certificate" jq '.etag' -r)"
verification_code="$(
<<< "$cloud_certificate" jq '.properties.verificationCode' -r
)"
# Print the verification code.
# This becomes the CN of the verification cert.
echo "$verification_code"
# Generate CSR for verification cert and sign it
# with the root CA to get the verification cert.
rm -f \
device-id-root-verify.key.pem \
device-id-root-verify.csr \
device-id-root-verify.pem
openssl req \
-newkey rsa:2048 -keyout device-id-root-verify.key.pem -nodes \
-out device-id-root-verify.csr \
-subj "/CN=$verification_code" \
-days 1
openssl x509 -req \
-in device-id-root-verify.csr \
-CA device-id-root.pem -CAkey device-id-root.key.pem \
-out device-id-root-verify.pem \
-days 365 -CAcreateserial
# Upload verification cert to IoT Hub
az iot hub certificate verify \
--hub-name "$IOT_HUB_NAME" --name device-id-root \
--path $PWD/device-id-root-verify.pem \
--etag "$etag"
# Clean up verification cert
rm -f \
device-id-root-verify.key.pem \
device-id-root-verify.csr \
device-id-root-verify.pem
# device-id-root.pem and device-id-root.key.pem are no ready
# to be used to issue device ID certs.
# ---
# To manually issue a device ID cert signed by this CA cert:
# Create device identity with X.509-CA auth mode
az iot hub device-identity create \
--hub-name "$IOT_HUB_NAME" --device-id "$IOT_DEVICE_ID" \
--auth-method x509_ca
# Generate CSR for device ID cert and sign it
# with the root CA to get the device ID cert.
rm -f \
device-id.key.pem \
device-id.csr \
device-id.pem
openssl req \
-newkey rsa:2048 -keyout device-id.key.pem -nodes \
-out device-id.csr \
-subj "/CN=$IOT_DEVICE_ID" \
-days 1
openssl x509 -req \
-in device-id.csr \
-CA device-id-root.pem -CAkey device-id-root.key.pem \
-out device-id.pem \
-days 365 -CAcreateserial
# Clean up device ID CSR
rm -f device-id.csr