Merge pull request #223367 from PatAltimore/patricka-cert-perms

Add certificate owner and permission requirements

Author: prmerger-automator[bot]

articles/iot-edge/how-to-connect-downstream-device.md

@@ -1,10 +1,10 @@
 ---
-title: Connect downstream devices - Azure IoT Edge | Microsoft Docs
+title: Connect a downstream device to an Azure IoT Edge gateway
 description: How to configure downstream devices to connect to Azure IoT Edge gateway devices. 
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 06/02/2022
+ms.date: 01/09/2023
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge

articles/iot-edge/how-to-connect-downstream-iot-edge-device.md

@@ -4,7 +4,7 @@ description: Step by step adaptable manual instructions on how to create a hiera
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 10/5/2022
+ms.date: 01/17/2023
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge
@@ -140,26 +140,99 @@ To configure your parent device, open a local or remote command shell.
 
 To enable secure connections, every IoT Edge parent device in a gateway scenario needs to be configured with a unique device CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
 
-01. Transfer the **root CA certificate**, **parent device CA certificate**, and **parent private key** to the parent device. The examples in this article use the preferred directory `/var/aziot` for the certificates and keys.
+01. Check your certificates meet the [format requirements](how-to-manage-device-certificates.md#format-requirements).
 
-01. Install the **root CA certificate** on the parent IoT Edge device. First, copy the root certificate into the certificate directory and add `.crt` to the end of the file name. Next, update the certificate store on the device using the platform-specific command.
+01. Transfer the **root CA certificate**, **parent device CA certificate**, and **parent private key** to the parent device. 
 
-    **Debian or Ubuntu:**
+01. Copy the certificates and keys to the correct directories. The preferred directories for device certificates are `/var/aziot/certs` for the certificates and `/var/aziot/secrets` for keys.
 
     ```bash
-    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt
+    ### Copy device certificate ###
 
-    sudo update-ca-certificates
+    # If the device certificate and keys directories don't exist, create, set ownership, and set permissions
+    sudo mkdir -p /var/aziot/certs
+    sudo chown aziotcs:aziotcs /var/aziot/certs
+    sudo chmod 755 /var/aziot/certs
+
+    sudo mkdir -p /var/aziot/secrets
+    sudo chown aziotks:aziotks /var/aziot/secrets
+    sudo chmod 700 /var/aziot/secrets
+
+    # Copy full-chain device certificate and private key into the correct directory
+    sudo cp iot-edge-device-ca-gateway-full-chain.cert.pem /var/aziot/certs
+    sudo cp iot-edge-device-ca-gateway.key.pem /var/aziot/secrets
+
+    ### Root certificate ###
+
+    # Copy root certificate into the /certs directory
+    sudo cp azure-iot-test-only.root.ca.cert.pem /var/aziot/certs
+
+    # Copy root certificate into the CA certificate directory and add .crt extension.
+    # The root certificate must be in the CA certificate directory to install it in the certificate store.
+    # Use the appropriate copy command for your device OS or if using EFLOW.
+
+    # For Ubuntu and Debian, use /usr/local/share/ca-certificates/
+    sudo cp azure-iot-test-only.root.ca.cert.pem /usr/local/share/azure-iot-test-only.root.ca.cert.pem.crt
+    # For EFLOW, use /etc/pki/ca-trust/source/anchors/
+    sudo cp azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.pem.crt
     ```
 
-    **IoT Edge for Linux on Windows (EFLOW):**
+01. Change the ownership and permissions of the certificates and keys.
 
     ```bash
-    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt
+    # Give aziotcs ownership to certificates
+    # Read and write for aziotcs, read-only for others
+    sudo chown -R aziotcs:aziotcs /var/aziot/certs
+    sudo find /var/aziot/certs -type f -name "*.*" -exec chmod 644 {} \;
+
+    # Give aziotks ownership to private keys
+    # Read and write for aziotks, no permission for others
+    sudo chown -R aziotks:aziotks /var/aziot/secrets
+    sudo find /var/aziot/secrets -type f -name "*.*" -exec chmod 600 {} \;
+
+    # Verify permissions of directories and files
+    sudo ls -Rla /var/aziot
+    ```
 
+    The output of list with correct ownership and permission is similar to the following:
+
+    ```Output
+    azureUser@vm-h2hnm5j5uxk2a:/var/aziot$ sudo ls -Rla /var/aziot
+    /var/aziot:
+    total 16
+    drwxr-xr-x  4 root    root    4096 Dec 14 00:16 .
+    drwxr-xr-x 15 root    root    4096 Dec 14 00:15 ..
+    drw-r--r--  2 aziotcs aziotcs 4096 Jan 14 00:31 certs
+    drwx------  2 aziotks aziotks 4096 Jan 14 00:35 secrets
+    
+    /var/aziot/certs:
+    total 20
+    drw-r--r-- 2 aziotcs aziotcs 4096 Jan 14 00:31 .
+    drwxr-xr-x 4 root    root    4096 Dec 14 00:16 ..
+    -rw-r--r-- 1 aziotcs aziotcs 1984 Jan 14 00:24 azure-iot-test-only.root.ca.cert.pem
+    -rw-r--r-- 1 aziotcs aziotcs 5887 Jan 14 00:27 iot-edge-device-ca-gateway-full-chain.cert.pem
+    
+    /var/aziot/secrets:
+    total 20
+    drwx------ 2 aziotks aziotks 4096 Jan 14 00:35 .
+    drwxr-xr-x 4 root    root    4096 Dec 14 00:16 ..
+    -rw------- 1 aziotks aziotks 3326 Jan 14 00:29 azure-iot-test-only.root.ca.key.pem
+    -rw------- 1 aziotks aziotks 3243 Jan 14 00:28 iot-edge-device-ca-gateway.key.pem
+    ```
+    
+
+01. Install the **root CA certificate** on the parent IoT Edge device by updating the certificate store on the device using the platform-specific command.
+
+    ```bash
+    # Update the certificate store
+
+    # For Ubuntu and Debian, use update-ca-certificates command
+    sudo update-ca-certificates
+    # For EFLOW, use update-ca-trust
     sudo update-ca-trust
     ```
-    For more information about using `update-ca-trust`, see [CBL-Mariner SSL CA certificates management](https://github.com/microsoft/CBL-Mariner/blob/1.0/toolkit/docs/security/ca-certificates.md).
+
+    For more information about using `update-ca-trust` in EFLOW, see [CBL-Mariner SSL CA certificates management](https://github.com/microsoft/CBL-Mariner/blob/1.0/toolkit/docs/security/ca-certificates.md).
 
 The command reports one certificate was added to `/etc/ssl/certs`.
 
@@ -319,26 +392,69 @@ To configure your downstream device, open a local or remote command shell.
 
 To enable secure connections, every IoT Edge downstream device in a gateway scenario needs to be configured with a unique device CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
 
-01. Transfer the **root CA certificate**, **child device CA certificate**, and **child private key** to the downstream device. The examples in this article use the directory `/var/aziot` for the certificates and keys directory.
+01. Check your certificates meet the [format requirements](how-to-manage-device-certificates.md#format-requirements).
 
-01. Install the **root CA certificate** on the downstream IoT Edge device. First, copy the root certificate into the certificate directory and add `.crt` to the end of the file name. Next, update the certificate store on the device using the platform-specific command.
+01. Transfer the **root CA certificate**, **child device CA certificate**, and **child private key** to the downstream device. 
 
-    **Debian or Ubuntu:**
+01. Copy the certificates and keys to the correct directories. The preferred directories for device certificates are `/var/aziot/certs` for the certificates and `/var/aziot/secrets` for keys.
 
     ```bash
-    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt
+    ### Copy device certificate ###
 
-    sudo update-ca-certificates
+    # If the device certificate and keys directories don't exist, create, set ownership, and set permissions
+    sudo mkdir -p /var/aziot/certs
+    sudo chown aziotcs:aziotcs /var/aziot/certs
+    sudo chmod 755 /var/aziot/certs
+
+    sudo mkdir -p /var/aziot/secrets
+    sudo chown aziotks:aziotks /var/aziot/secrets
+    sudo chmod 700 /var/aziot/secrets
+
+    # Copy device full-chain certificate and private key into the correct directory
+    sudo cp iot-device-downstream-full-chain.cert.pem /var/aziot/certs
+    sudo cp iot-device-downstream.key.pem /var/aziot/secrets
+
+    ### Root certificate ###
+
+    # Copy root certificate into the /certs directory
+    sudo cp azure-iot-test-only.root.ca.cert.pem /var/aziot/certs
+
+    # Copy root certificate into the CA certificate directory and add .crt extension.
+    # The root certificate must be in the CA certificate directory to install it in the certificate store.
+    # Use the appropriate copy command for your device OS or if using EFLOW.
+
+    # For Ubuntu and Debian, use /usr/local/share/ca-certificates/
+    sudo cp azure-iot-test-only.root.ca.cert.pem /usr/local/share/azure-iot-test-only.root.ca.cert.pem.crt
+    # For EFLOW, use /etc/pki/ca-trust/source/anchors/
+    sudo cp azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.pem.crt
     ```
 
-    **IoT Edge for Linux on Windows (EFLOW):**
+01. Change the ownership and permissions of the certificates and keys.
 
     ```bash
-    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt
+    # Give aziotcs ownership to certificates
+    # Read and write for aziotcs, read-only for others
+    sudo chown -R aziotcs:aziotcs /var/aziot/certs
+    sudo find /var/aziot/certs -type f -name "*.*" -exec chmod 644 {} \;
+
+    # Give aziotks ownership to private keys
+    # Read and write for aziotks, no permission for others
+    sudo chown -R aziotks:aziotks /var/aziot/secrets
+    sudo find /var/aziot/secrets -type f -name "*.*" -exec chmod 600 {} \;
+    ```
 
+01. Install the **root CA certificate** on the downstream IoT Edge device by updating the certificate store on the device using the platform-specific command.
+
+    ```bash
+    # Update the certificate store
+
+    # For Ubuntu and Debian, use update-ca-certificates command
+    sudo update-ca-certificates
+    # For EFLOW, use update-ca-trust
     sudo update-ca-trust
     ```
-    For more information about using `update-ca-trust`, see [CBL-Mariner SSL CA certificates management](https://github.com/microsoft/CBL-Mariner/blob/1.0/toolkit/docs/security/ca-certificates.md).
+
+    For more information about using `update-ca-trust` in EFLOW, see [CBL-Mariner SSL CA certificates management](https://github.com/microsoft/CBL-Mariner/blob/1.0/toolkit/docs/security/ca-certificates.md).
 
 The command reports one certificate was added to `/etc/ssl/certs`.
 
@@ -390,8 +506,8 @@ You should already have IoT Edge installed on your device. If not, follow the st
 
     ```toml
     [edge_ca]
-    cert = "file:///var/aziot/certs/iot-edge-device-ca-downstream-full-chain.cert.pem"
-    pk = "file:///var/aziot/secrets/iot-edge-device-ca-downstream.key.pem"
+    cert = "file:///var/aziot/certs/iot-device-downstream-full-chain.cert.pem"
+    pk = "file:///var/aziot/secrets/iot-device-downstream.key.pem"
     ```
 
 01. Verify your IoT Edge device uses the correct version of the IoT Edge agent when it starts. Find the **Default Edge Agent** section and set the image value for IoT Edge to version 1.4. For example:
@@ -408,8 +524,8 @@ You should already have IoT Edge installed on your device. If not, follow the st
     trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"
     
     [edge_ca]
-    cert = "file:///var/aziot/certs/iot-edge-device-ca-downstream-full-chain.cert.pem"
-    pk = "file:///var/aziot/secrets/iot-edge-device-ca-downstream.key.pem"
+    cert = "file:///var/aziot/certs/iot-device-downstream-full-chain.cert.pem"
+    pk = "file:///var/aziot/secrets/iot-device-downstream.key.pem"
     ```
 
 01. Save and close the `config.toml` configuration file. For example if you're using the **nano** editor, select **Ctrl+O** - *Write Out*, **Enter**, and **Ctrl+X** - *Exit*.
@@ -455,7 +571,6 @@ You should already have IoT Edge installed on your device. If not, follow the st
 
     ```Output
     azureUser@child-vm:~$ openssl s_client -connect <parent hostname>:8883 </dev/null 2>&1 >/dev/null
-
     Can't use SSL_get_servername
     depth=3 CN = Azure_IoT_Hub_CA_Cert_Test_Only
     verify return:1
@@ -475,7 +590,7 @@ You should already have IoT Edge installed on your device. If not, follow the st
     If the command times out, there may be blocked ports between the child and parent devices. Review the network configuration and settings for the devices.
 
     > [!WARNING]
-    > A previous version of this document directed users to copy the `iot-edge-device-ca-gateway.cert.pem` certificate for use in the gateway `[edge_ca]` section. This was incorrect, and results in certificate validation errors from the downstream device. For example, the `openssl s_client ...` command above will produce:
+    > Not using a full-chain certificate in the gateway's `[edge_ca]` section results in certificate validation errors from the downstream device. For example, the `openssl s_client ...` command above will produce:
     >
     > ```
     > Can't use SSL_get_servername
@@ -487,7 +602,7 @@ You should already have IoT Edge installed on your device. If not, follow the st
     > DONE
     > ```
     >
-    > The same issue will appear for TLS-enabled devices connecting to the downstream Edge device if `iot-edge-device-ca-downstream.cert.pem` is copied to the device instead of `iot-edge-device-ca-downstream-full-chain.cert.pem`.
+    > The same issue occurs for TLS-enabled devices that connect to the downstream IoT Edge device if the full-chain device certificate isn't used and configured on the downstream device.
 
 ## Network isolate downstream devices
 

articles/iot-edge/how-to-create-transparent-gateway.md

@@ -1,10 +1,10 @@
 ---
-title: Create transparent gateway device - Azure IoT Edge | Microsoft Docs
+title: Create transparent gateway device using Azure IoT Edge
 description: Use an Azure IoT Edge device as a transparent gateway that can process information from downstream devices
 author: PatAltimore
 
 ms.author: patricka
-ms.date: 11/1/2022
+ms.date: 01/17/2022
 ms.topic: conceptual
 ms.service: iot-edge
 services: iot-edge
@@ -114,20 +114,41 @@ If you don't have your own certificate authority and want to use demo certificat
 
 # [IoT Edge](#tab/iotedge)
 
+1. Check the certificate meets [format requirements](how-to-manage-device-certificates.md#format-requirements).
 1. If you created the certificates on a different machine, copy them over to your IoT Edge device. You can use a USB drive, a service like [Azure Key Vault](../key-vault/general/overview.md), or with a function like [Secure file copy](https://www.ssh.com/ssh/scp/).
 1. Move the files to the preferred directory for certificates and keys. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.
-1. Change the ownership and permissions of the certificates and keys.
+1. Create the certificates and keys directories and set permissions. You should store your certificates and keys to the preferred `/var/aziot` directory. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.
 
    ```bash
+   # If the certificate and keys directories don't exist, create, set ownership, and set permissions
+   sudo mkdir -p /var/aziot/certs
    sudo chown aziotcs:aziotcs /var/aziot/certs
-   sudo chown -R iotedge /var/aziot/certs
-   sudo chmod 644 /var/aziot/secrets/
+   sudo chmod 755 /var/aziot/certs
+
+   sudo mkdir -p /var/aziot/secrets
+   sudo chown aziotks:aziotks /var/aziot/secrets
+   sudo chmod 700 /var/aziot/secrets
+   ```
+1. Change the ownership and permissions of the certificates and keys.
+
+   ```bash
+   # Give aziotcs ownership to certificates
+   # Read and write for aziotcs, read-only for others
+   sudo chown -R aziotcs:aziotcs /var/aziot/certs
+   sudo find /var/aziot/certs -type f -name "*.*" -exec chmod 644 {} \;
+
+   # Give aziotks ownership to private keys
+   # Read and write for aziotks, no permission for others
+   sudo chown -R aziotks:aziotks /var/aziot/secrets
+    sudo find /var/aziot/secrets -type f -name "*.*" -exec chmod 600 {} \;
    ```
 
 # [IoT Edge for Linux on Windows](#tab/eflow)
 
 Now, you need to copy the certificates to the Azure IoT Edge for Linux on Windows virtual machine.
 
+1. Check the certificate meets [format requirements](how-to-manage-device-certificates.md#format-requirements).
+
 1. Copy the certificates to the EFLOW virtual machine to a directory where you have write access. For example, the `/home/iotedge-user` home directory.
 
    ```powershell
@@ -146,27 +167,42 @@ Now, you need to copy the certificates to the Azure IoT Edge for Linux on Window
    Connect-EflowVm
    ```
 
-1. Create the certificates directory. You should store your certificates and keys to the preferred `/var/aziot` directory. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.
+1. Create the certificates and keys directories and set permissions. You should store your certificates and keys to the preferred `/var/aziot` directory. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.
 
    ```bash
+   # If the certificate and keys directories don't exist, create, set ownership, and set permissions
    sudo mkdir -p /var/aziot/certs
+   sudo chown aziotcs:aziotcs /var/aziot/certs
+   sudo chmod 755 /var/aziot/certs
+
    sudo mkdir -p /var/aziot/secrets
+   sudo chown aziotks:aziotks /var/aziot/secrets
+   sudo chmod 700 /var/aziot/secrets
    ```
 
 1. Move the certificates and keys to the preferred `/var/aziot` directory.
 
    ```bash
    # Move the IoT Edge device CA certificate and key to preferred location
+   sudo mv ~/azure-iot-test-only.root.ca.cert.pem /var/aziot/certs
    sudo mv ~/iot-edge-device-ca-<cert name>-full-chain.cert.pem /var/aziot/certs
    sudo mv ~/iot-edge-device-ca-<cert name>.key.pem /var/aziot/secrets
-   sudo mv ~/azure-iot-test-only.root.ca.cert.pem /var/aziot/certs
    ```
 
 1. Change the ownership and permissions of the certificates and keys.
 
    ```bash
-   sudo chown -R iotedge /var/aziot/certs
-   sudo chmod 644 /var/aziot/secrets/iot-edge-device-ca-<cert name>.key.pem
+   # Give aziotcs ownership to certificate
+   # Read and write for aziotcs, read-only for others
+   sudo chown aziotcs:aziotcs /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem
+   sudo chown aziotcs:aziotcs /var/aziot/certs/iot-edge-device-ca-<cert name>-full-chain.cert.pem
+   sudo chmod 644 /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem
+   sudo chmod 644 /var/aziot/certs/iot-edge-device-ca-<cert name>-full-chain.cert.pem
+
+   # Give aziotks ownership to private key
+   # Read and write for aziotks, no permission for others
+   sudo chown aziotks:aziotks /var/aziot/secrets/iot-edge-device-ca-<cert name>.key.pem
+   sudo chmod 600 /var/aziot/secrets/iot-edge-device-ca-<cert name>.key.pem
    ```
 
 1. Exit the EFLOW VM connection.
@@ -239,7 +275,7 @@ Downstream devices send telemetry and messages to the gateway device, where the
 
 * The IoT Edge hub module is deployed to the device.
 
-  When you first install IoT Edge on a device, only one system module starts automatically: the IoT Edge agent. Once you create the first deployment for a device, the second system module, the IoT Edge hub, starts as well. If the **edgeHub** module isn't running on your device, create a deployment for your device.
+  When you first install IoT Edge on a device, only one system module starts automatically: the IoT Edge agent. Once you create the first deployment for a device, the second system module and the IoT Edge hub start as well. If the **edgeHub** module isn't running on your device, create a deployment for your device.
 
 * The IoT Edge hub module has routes set up to handle incoming messages from downstream devices.