Skip to content

Commit 33b4da8

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #232271 from PatAltimore/patricka-thumbprint-note
Clarify thumbprint match
2 parents e829379 + f4a5b34 commit 33b4da8

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

articles/iot-edge/iot-edge-certs.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -138,13 +138,13 @@ For example, we can use the following command to get the identity certificate's
138138
sudo openssl x509 -in /var/lib/aziot/certd/certs/deviceid-random.cer -noout -nocert -fingerprint -sha256
139139
```
140140

141-
The command outputs the certificate thumbprint:
141+
The command outputs the certificate SHA256 thumbprint:
142142

143143
```output
144144
SHA256 Fingerprint=1E:F3:1F:88:24:74:2C:4A:C1:A7:FA:EC:5D:16:C4:11:CD:85:52:D0:88:3E:39:CB:7F:17:53:40:9C:02:95:C3
145145
```
146146

147-
If we view the thumbprint value for the *EdgeGateway* device in the Azure portal, we can see it matches the thumbprint on *EdgeGateway*:
147+
If we view the SHA256 thumbprint value for the *EdgeGateway* device registered in IoT Hub, we can see it matches the thumbprint on *EdgeGateway*:
148148

149149
:::image type="content" source="./media/iot-edge-certs/edge-id-thumbprint.png" alt-text="Screenshot from Azure portal of EdgeGateway device's thumbprint in ContosoIotHub.":::
150150

@@ -155,6 +155,8 @@ For more information about the certificate building process, see [Create and pro
155155
> [!NOTE]
156156
> This example doesn't address Azure IoT Hub Device Provisioning Service (DPS), which has support for X.509 CA authentication with IoT Edge when provisioned with an enrollment group. Using DPS, you upload the CA certificate or an intermediate certificate, the certificate chain is verified, then the device is provisioned. To learn more, see [DPS X.509 certificate attestation](../iot-dps/concepts-x509-attestation.md).
157157
>
158+
> In the Azure Portal, DPS displays the SHA1 thumbprint for the certificate rather than the SHA256 thumbprint.
159+
>
158160
> DPS registers or updates the SHA256 thumbprint to IoT Hub. You can verify the thumbprint using the command `openssl x509 -in /var/lib/aziot/certd/certs/deviceid-long-random-string.cer -noout -fingerprint -sha256`. Once registered, Iot Edge uses thumbprint authentication with IoT Hub. If the device is reprovisioned and a new certificate is issued, DPS updates IoT Hub with the new thumbprint.
159161
>
160162
> IoT Hub currently doesn't support X.509 CA authentication directly with IoT Edge.

0 commit comments

Comments
 (0)