Azure IoT Hub – OpenSSL – Generate proof of possession

The Azure IoT documentation has guides on setting up certifications for production use. That documentation showcases how to properly setup using certificate authorities to generate proof of possession. For development purposes, you may want to use self signed certificates.

  1. Assuming  the original key and cert were created with the following commands (Azure IoT reports unverified if you upload it):
# Create root key
openssl genrsa -out iotHubRoot.key 2048

# Create root cert
openssl req -new -x509 -key iotHubRoot.key -out iotHubRoot.cer -days 500
  1. Then generate the verification cert (pay attention to fill in common name with verification code):
# Create verification key and csr
openssl genrsa -out verification.key 2048
openssl req -new -key verification.key -out verification.csr

#It will prompt for cert fields. 
#IMPORTANT: The Common Name needs to be your Verification Code (generate and copy that from portal)

# Create verification pem
openssl x509 -req -in -verification.csr -CA iotHubRoot.cer -CAkey iotHubRoot.key -CAcreateserial -out verification.pem -days 500 -sha256
  1. Upload pem file to portal to verify certificate

3 thoughts on “Azure IoT Hub – OpenSSL – Generate proof of possession

  1. Jared, i owe you a beer if you are ever in Copenhagen.
    You have one small typo : “openssl x509 -req -in -verification.csr ….” should be “openssl x509 -req -in verification.csr ..”. There is a – in front of verification.csr.
    This has helped me quite a lot, paired with this guide https://docs.microsoft.com/bs-latn-ba/azure/iot-hub/iot-hub-security-x509-get-started. The MS guide slips by how to do the process exactly, and you may want to emphasise that the verification code comes from the intial csr file (step 1) that can be uploaded to the IoT Hub, and then the verification code can be generated and the remaining steps can be done as you describe.

Leave a Reply