| title | description | author | ms.service | services | ms.topic | ms.date | ms.author | ms.custom | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
Tutorial - Prove Ownership of CA certificates in Azure IoT Hub | Microsoft Docs |
Tutorial - Prove that you own a CA certificate for Azure IoT Hub |
kgremban |
iot-hub |
iot-hub |
tutorial |
06/25/2021 |
kgremban |
|
When you upload your root certification authority (CA) certificate or subordinate CA certificate to your IoT hub, you can set it to verified automatically, or manually prove that you own the certificate.
-
In the Azure portal, navigate to your IoTHub and select Settings > Certificates.
-
Select Add to add a new CA certificate.
-
Enter a display name in the Certificate name field, and select the PEM certificate to add.
-
To automatically verify the certificate, check the box next to Set certificate status to verified on upload.
:::image type="content" source="media/tutorial-x509-prove-possession/skip-pop.png" alt-text="Screenshot showing where the checkbox to skip proof of possession is":::
- Select Save. Your certificate is show in the certificate with a status Verified.
-
If you didn't choose to automatically verify the certificate during upload, your certificate is shown in the certificate list with a status of Unverified.
-
Select the certificate to view the Certificate Details dialog.
-
Select Generate Verification Code in the dialog.
:::image type="content" source="media/tutorial-x509-prove-possession/certificate-details.png" alt-text="{Certificate details dialog}":::
-
Copy the verification code to the clipboard. You must set the verification code as the certificate subject. For example, if the verification code is 75B86466DA34D2B04C0C4C9557A119687ADAE7D4732BDDB3, add that as the subject of your certificate as shown in the next step.
-
There are three ways to generate a verification certificate:
-
If you are using the PowerShell script supplied by Microsoft, run
New-CACertsVerificationCert "75B86466DA34D2B04C0C4C9557A119687ADAE7D4732BDDB3"to create a certificate namedVerifyCert4.cer. For more information, see Using Microsoft-supplied Scripts. -
If you are using the Bash script supplied by Microsoft, run
./certGen.sh create_verification_certificate "75B86466DA34D2B04C0C4C9557A119687ADAE7D4732BDDB3"to create a certificate namedverification-code.cert.pem. For more information, see Using Microsoft-supplied Scripts. -
If you are using OpenSSL to generate your certificates, you must first generate a private key and then a certificate signing request (CSR):
$ openssl genpkey -out pop.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 $ openssl req -new -key pop.key -out pop.csr ----- Country Name (2 letter code) [XX]:. State or Province Name (full name) []:. Locality Name (eg, city) [Default City]:. Organization Name (eg, company) [Default Company Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server hostname) []:75B86466DA34D2B04C0C4C9557A119687ADAE7D4732BDDB3 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:Then, create a certificate using the root CA configuration file (shown below) or the subordinate CA configuration file and the CSR.
openssl ca -config rootca.conf -in pop.csr -out pop.crt -extensions client_ext
For more information, see Using OpenSSL to Create Test Certificates.
-
-
Select the new certificate in the Certificate Details view.
-
After the certificate uploads, select Verify. The CA certificate status should change to Verified.