You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-dps/concepts-x509-attestation.md
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,16 +18,16 @@ X.509 certificates can be stored in a hardware security module HSM.
18
18
> [!TIP]
19
19
> We strongly recommend using an HSM with devices to securely store secrets, like the X.509 certificate, on your devices in production.
20
20
21
-
22
21
## X.509 certificates
23
22
24
23
Using X.509 certificates as an attestation mechanism is an excellent way to scale production and simplify device provisioning. X.509 certificates are typically arranged in a certificate chain of trust in which each certificate in the chain is signed by the private key of the next higher certificate, and so on, terminating in a self-signed root certificate. This arrangement establishes a delegated chain of trust from the root certificate generated by a trusted root certificate authority (CA) down through each intermediate CA to the end-entity "leaf" certificate installed on a device. To learn more, see [Device Authentication using X.509 CA Certificates](../iot-hub/iot-hub-x509ca-overview.md).
25
24
26
25
Often the certificate chain represents some logical or physical hierarchy associated with devices. For example, a manufacturer may:
26
+
27
27
- issue a self-signed root CA certificate
28
28
- use the root certificate to generate a unique intermediate CA certificate for each factory
29
29
- use each factory's certificate to generate a unique intermediate CA certificate for each production line in the plant
30
-
- and finally use the production line certificate, to generate a unique device (end-entity) certificate for each device manufactured on the line.
30
+
- and finally use the production line certificate, to generate a unique device (end-entity) certificate for each device manufactured on the line.
31
31
32
32
To learn more, see [Conceptual understanding of X.509 CA certificates in the IoT industry](../iot-hub/iot-hub-x509ca-concept.md).
33
33
@@ -39,12 +39,12 @@ A root certificate is a self-signed X.509 certificate representing a certificate
39
39
40
40
An intermediate certificate is an X.509 certificate, which has been signed by the root certificate (or by another intermediate certificate with the root certificate in its chain). The last intermediate certificate in a chain is used to sign the leaf certificate. An intermediate certificate can also be referred to as an intermediate CA certificate.
41
41
42
-
##### Why are intermediate certs useful?
42
+
#### Why are intermediate certs useful?
43
+
43
44
Intermediate certificates are used in a variety of ways. For example, intermediate certificates can be used to group devices by product lines, customers purchasing devices, company divisions, or factories.
44
45
45
46
Imagine that Contoso is a large corporation with its own Public Key Infrastructure (PKI) using the root certificate named *ContosoRootCert*. Each subsidiary of Contoso has their own intermediate certificate that is signed by *ContosoRootCert*. Each subsidiary will then use their intermediate certificate to sign their leaf certificates for each device. In this scenario, Contoso can use a single DPS instance where *ContosoRootCert* has been verified with [proof-of-possession](./how-to-verify-certificates.md). They can have an enrollment group for each subsidiary. This way each individual subsidiary will not have to worry about verifying certificates.
46
47
47
-
48
48
### End-entity "leaf" certificate
49
49
50
50
The leaf certificate, or end-entity certificate, identifies the certificate holder. It has the root certificate in its certificate chain as well as zero or more intermediate certificates. The leaf certificate is not used to sign any other certificates. It uniquely identifies the device to the provisioning service and is sometimes referred to as the device certificate. During authentication, the device uses the private key associated with this certificate to respond to a proof of possession challenge from the service.
@@ -62,7 +62,11 @@ The provisioning service exposes two enrollment types that you can use to contro
62
62
-[Individual enrollment](./concepts-service.md#individual-enrollment) entries are configured with the device certificate associated with a specific device. These entries control enrollments for specific devices.
63
63
-[Enrollment group](./concepts-service.md#enrollment-group) entries are associated with a specific intermediate or root CA certificate. These entries control enrollments for all devices that have that intermediate or root certificate in their certificate chain.
64
64
65
-
#### DPS device chain requirements
65
+
### Mutual TLS support
66
+
67
+
When DPS enrollments are configured for X.509 attestation, mutual TLS (mTLS) is supported by DPS.
68
+
69
+
### DPS device chain requirements
66
70
67
71
When a device is attempting registration through DPS using an enrollment group, the device must send the certificate chain from the leaf certificate to a certificate verified with [proof-of-possession](how-to-verify-certificates.md). Otherwise, authentication will fail.
68
72
@@ -84,14 +88,11 @@ If the device sends the full device chain as follows during provisioning, then D
> Intermediate certificates can also be verified with [proof-of-possession](how-to-verify-certificates.md)..
92
93
94
+
### DPS order of operations with certificates
93
95
94
-
#### DPS order of operations with certificates
95
96
When a device connects to the provisioning service, the service prioritizes more specific enrollment entries over less specific enrollment entries. That is, if an individual enrollment for the device exists, the provisioning service applies that entry. If there is no individual enrollment for the device and an enrollment group for the first intermediate certificate in the device's certificate chain exists, the service applies that entry, and so on, down the chain to the root. The service applies the first applicable entry that it finds, such that:
96
97
97
98
- If the first enrollment entry found is enabled, the service provisions the device.
Copy file name to clipboardExpand all lines: articles/iot-dps/tls-support.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,8 @@
13
13
14
14
DPS uses [Transport Layer Security (TLS)](http://wikipedia.org/wiki/Transport_Layer_Security) to secure connections from IoT devices.
15
15
16
-
Current TLS protocol versions supported by DPS are:
16
+
Current TLS protocol versions supported by DPS are:
17
+
17
18
* TLS 1.2
18
19
19
20
## Restrict connections to TLS 1.2
@@ -57,7 +58,6 @@ The DPS resource created using this configuration will refuse devices that attem
57
58
> [!NOTE]
58
59
> The `minTlsVersion` property is read-only and cannot be changed once your DPS resource is created. It is therefore essential that you properly test and validate that *all* your IoT devices are compatible with TLS 1.2 and the [recommended ciphers](#recommended-ciphers) in advance.
59
60
60
-
61
61
> [!NOTE]
62
62
> Upon failovers, the `minTlsVersion` property of your DPS will remain effective in the geo-paired region post-failover.
63
63
@@ -70,8 +70,7 @@ DPS instances that are configured to accept only TLS 1.2 will also enforce the u
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments