You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-dps/concepts-device-oem-security-practices.md
+1-4Lines changed: 1 addition & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -93,7 +93,6 @@ Consider the following variables, and how each one impacts the overall manufactu
93
93
It can be costly and complex to manage a public key infrastructure (PKI). Especially if your company doesn't have any experience managing a PKI. Your options are:
94
94
- Use a third-party PKI. You can buy intermediate signing certificates from a third-party certificate vendor. Or you can use a private Certificate Authority (CA).
95
95
- Use a self-managed PKI. You can maintain your own PKI system and generate your own certificates.
96
-
- Use the [Azure Sphere](https://azure.microsoft.com/services/azure-sphere/) security service. This option applies only to Azure Sphere devices.
97
96
98
97
#### Where certificates are stored
99
98
There are a few factors that affect the decision on where certificates are stored. These factors include the type of device, expected profit margins (whether you can afford secure storage), device capabilities, and existing security technology on the device that you might be able to use. Consider the following options:
@@ -113,9 +112,7 @@ Depending on the type of devices you produce, you might have a regulatory requir
113
112
- Sensitive industry. Certificates should be installed in a secure room according to compliance certification requirements. If you need a secure room to install certificates, you're likely already aware of how certificates get installed in your devices. And you probably already have an audit system in place.
114
113
115
114
#### Length of certificate validity
116
-
Like a driver's license, certificates have an expiration date that is set when they're created. Here are the options for length of certificate validity:
117
-
- Renewal not required. This approach uses a long renewal period, so you'll never need to renew the certificate during the device's lifetime. While such an approach is convenient, it's also risky. You can reduce the risk by using secure storage like an HSM on your devices. However, the recommended practice is to avoid using long-lived certificates.
118
-
- Renewal required. You need to renew the certificate during the lifetime of the device. The length of the certificate validity depends on context, and you need a strategy for renewal. The strategy should include where you're getting certificates, and what type of over-the-air functionality your devices have to use in the renewal process.
115
+
Like a driver's license, certificates have an expiration date that is set when they're created. You need to renew the certificate during the lifetime of the device. The length of the certificate validity depends on context, and you need a strategy for renewal. The strategy should include where you're getting certificates, and what type of over-the-air functionality your devices have to use in the renewal process.
119
116
120
117
### When to generate certificates
121
118
The internet connectivity capabilities at your factory impact your process for generating certificates. You have several options for when to generate certificates:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments