Azure Azure IoT Edge
Jared Rhodes  

Azure IoT Hub – OpenSSL – Generate proof of possession

The Azure IoT documentation has guides on setting up certifications for production use. That documentation showcases how to properly setup using certificate authorities to generate proof of possession. For development purposes, you may want to use self signed certificates.

  1. Assuming  the original key and cert were created with the following commands (Azure IoT reports unverified if you upload it):
# Create root key
openssl genrsa -out iotHubRoot.key 2048

# Create root cert
openssl req -new -x509 -key iotHubRoot.key -out iotHubRoot.cer -days 500
  1. Then generate the verification cert (pay attention to fill in common name with verification code):
# Create verification key and csr
openssl genrsa -out verification.key 2048
openssl req -new -key verification.key -out verification.csr

#It will prompt for cert fields. 
#IMPORTANT: The Common Name needs to be your Verification Code (generate and copy that from portal)

# Create verification pem
openssl x509 -req -in -verification.csr -CA iotHubRoot.cer -CAkey iotHubRoot.key -CAcreateserial -out verification.pem -days 500 -sha256
  1. Upload pem file to portal to verify certificate

toothkiller

5 thoughts on “Azure IoT Hub – OpenSSL – Generate proof of possession

  1. Dew Drop – January 29, 2020 (#3122) | Morning Dew

    […] Azure IoT Hub – OpenSSL – Generate proof of possession (Jared Rhodes) […]

    Reply

  2. Thomas Gaustad

    Jared, i owe you a beer if you are ever in Copenhagen.
    You have one small typo : “openssl x509 -req -in -verification.csr ….” should be “openssl x509 -req -in verification.csr ..”. There is a – in front of verification.csr.
    This has helped me quite a lot, paired with this guide https://docs.microsoft.com/bs-latn-ba/azure/iot-hub/iot-hub-security-x509-get-started. The MS guide slips by how to do the process exactly, and you may want to emphasise that the verification code comes from the intial csr file (step 1) that can be uploaded to the IoT Hub, and then the verification code can be generated and the remaining steps can be done as you describe.

    Reply

  3. Shawn Deggans

    Thanks for this! This is much faster than my older method of creating self-signed certificates.

    Reply

  4. Abdelhadi Lammini

    Thanks a lot mate, this helps a lot
    PS : for the last line command there is a dash next to verification that should be deleted

    Reply

  5. Reinaldo Abreu

    Thanks Jared, helps a lot.

    Reply

Leave A Comment