You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-hub/tutorial-x509-openssl.md
+5-14Lines changed: 5 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: kgremban
6
6
ms.service: iot-hub
7
7
services: iot-hub
8
8
ms.topic: tutorial
9
-
ms.date: 02/26/2021
9
+
ms.date: 02/24/2022
10
10
ms.author: kgremban
11
11
ms.custom: [mvc, 'Role: Cloud Development', 'Role: Data Analytics']
12
12
#Customer intent: As a developer, I want to be able to use X.509 certificates to authenticate devices to an IoT hub. This step of the tutorial needs to introduce me to OpenSSL that I can use to generate test certificates.
@@ -203,18 +203,9 @@ subjectKeyIdentifier = hash
203
203
204
204
## Step 6 - Create a subordinate CA
205
205
206
-
From the *subca* directory, create a new serial number in the *rootca/db/serial* file for the subordinate CA certificate.
207
-
208
-
```bash
209
-
openssl rand -hex 16 > ../rootca/db/serial
210
-
```
211
-
212
-
>[!IMPORTANT]
213
-
>You must create a new serial number for every subordinate CA certificate and every device certificate that you create. Different certificates cannot have the same serial number.
214
-
215
206
This example shows you how to create a subordinate or registration CA. Because you can use the root CA to sign certificates, creating a subordinate CA isn’t strictly necessary. Having a subordinate CA does, however, mimic real world certificate hierarchies in which the root CA is kept offline and subordinate CAs issue client certificates.
216
207
217
-
Use the configuration file to generate a private key and a certificate signing request (CSR).
208
+
From the *subca* directory, use the configuration file to generate a private key and a certificate signing request (CSR).
@@ -228,7 +219,7 @@ Submit the CSR to the root CA and use the root CA to issue and sign the subordin
228
219
229
220
## Step 7 - Demonstrate proof of possession
230
221
231
-
You now have both a root CA certificate and a subordinate CA certificate. You can use either one to sign device certificates. The one you choose must be uploaded to your IoT Hub. The following steps assume that you are using the subordinate CA certificate. To upload and register your subordinate CA certificate to your IoT Hub:
222
+
You now have both a root CA certificate and a subordinate CA certificate. You can use either one to sign device certificates. The one you choose must be uploaded to your IoT Hub. The following steps assume that you're using the subordinate CA certificate. To upload and register your subordinate CA certificate to your IoT Hub:
232
223
233
224
1. In the Azure portal, navigate to your IoTHub and select **Settings > Certificates**.
234
225
@@ -306,7 +297,7 @@ To generate a client certificate, you must first generate a private key. The fol
Create a certificate signing request (CSR) forthe key. You do not need to enter a challenge password or an optional company name. You must, however, enter the device IDin the common name field. You can also enter your own values for the other parameters such as **Country Name**, **Organization Name**, and so on.
300
+
Create a certificate signing request (CSR) forthe key. You don't need to enter a challenge password or an optional company name. You must, however, enter the device IDin the common name field. You can also enter your own values for the other parameters such as **Country Name**, **Organization Name**, and so on.
310
301
311
302
```bash
312
303
openssl req -new -key device.key -out device.csr
@@ -333,7 +324,7 @@ Check that the CSR is what you expect.
333
324
openssl req -text -in device.csr -noout
334
325
```
335
326
336
-
Send the CSR to the subordinate CA forsigning into the certificate hierarchy. Specify `client_ext`in the `-extensions` switch. Notice that the `Basic Constraints`in the issued certificate indicate that this certificate is not for a CA. If you are signing multiple certificates, be sure to update the serial number before generating each certificate by using the openssl `rand -hex 16 > db/serial` command.
327
+
Send the CSR to the subordinate CA forsigning into the certificate hierarchy. Specify `client_ext`in the `-extensions` switch. Notice that the `Basic Constraints`in the issued certificate indicate that this certificate isn't for a CA. If you're signing multiple certificates, be sure to update the serial number before generating each certificate by using the openssl `rand -hex 16 > db/serial` command.
337
328
338
329
```bash
339
330
openssl ca -config subca.conf -in device.csr -out device.crt -extensions client_ext
0 commit comments