Tutorial: Using OpenSSL to create self signed certificates - JohnHau/mis GitHub Wiki

You can authenticate a device to your IoT Hub using two self-signed device certificates. This is sometimes called thumbprint authentication because the certificates contain thumbprints (hash values) that you submit to the IoT hub. The following steps tell you how to create two self-signed certificates. This type of certificate is mainly used for testing.

Step 1 - Create a key for the first certificate Bash

Copy openssl genpkey -out device1.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 Step 2 - Create a CSR for the first certificate Make sure that you specify the device ID when prompted.

Bash

Copy openssl req -new -key device1.key -out device1.csr

Country Name (2 letter code) [XX]:. State or Province Name (full name) []:. Locality Name (eg, city) [Default City]:. Organization Name (eg, company) [Default Company Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server hostname) []:{your-device-id} Email Address []:

Step 3 - Check the CSR Bash

Copy openssl req -text -in device1.csr -noout Step 4 - Self-sign certificate 1 Bash

Copy openssl x509 -req -days 365 -in device1.csr -signkey device1.key -out device1.crt Step 5 - Create a key for the second certificate Bash

Copy openssl genpkey -out device2.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 Step 6 - Create a CSR for the second certificate When prompted, specify the same device ID that you used for certificate 1.

Bash

Copy openssl req -new -key device2.key -out device2.csr

Country Name (2 letter code) [XX]:. State or Province Name (full name) []:. Locality Name (eg, city) [Default City]:. Organization Name (eg, company) [Default Company Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server hostname) []:{your-device-id} Email Address []: Step 7 - Self-sign certificate 2 Bash

Copy openssl x509 -req -days 365 -in device2.csr -signkey device2.key -out device2.crt Step 8 - Retrieve the thumbprint for certificate 1 Bash

Copy openssl x509 -in device1.crt -noout -fingerprint Step 9 - Retrieve the thumbprint for certificate 2 Bash

Copy openssl x509 -in device2.crt -noout -fingerprint Step 10 - Create a new IoT device Navigate to your IoT Hub in the Azure portal and create a new IoT device identity with the following characteristics:

Provide the Device ID that matches the subject name of your two certificates. Select the X.509 Self-Signed authentication type. Paste the hex string thumbprints that you copied from your device primary and secondary certificates. Make sure that the hex strings have no colon delimiters. Next Steps Go to Testing Certificate Authentication to determine if your certificate can authenticate your device to your IoT Hub. The code on that page requires that you use a PFX certificate. Use the following OpenSSL command to convert your device .crt certificate to .pfx format.

Bash

Copy openssl pkcs12 -export -in device.crt -inkey device.key -out device.pfx