You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-hub/iot-hub-tls-support.md
+22-7Lines changed: 22 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@
5
5
author: kgremban
6
6
ms.service: iot-hub
7
7
ms.topic: conceptual
8
-
ms.date: 06/29/2021
8
+
ms.date: 01/05/2024
9
9
ms.author: kgremban
10
10
---
11
11
@@ -17,20 +17,35 @@ TLS 1.0 and 1.1 are considered legacy and are planned for deprecation. For more
17
17
18
18
## IoT Hub's server TLS certificate
19
19
20
-
During a TLS handshake, IoT Hub presents RSA-keyed server certificates to connecting clients. Its' root is the Baltimore Cybertrust Root CA. Because the Baltimore root is at end-of-life, we'll be migrating to a new root called DigiCert Global G2. This change will impact all devices currently connecting to IoT Hub. To prepare for this migration and for all other details, see [IoT TLS certificate update](https://aka.ms/iot-ca-updates).
20
+
During a TLS handshake, IoT Hub presents RSA-keyed server certificates to connecting clients.In the past, the certificates were all rooted from the Baltimore Cybertrust Root CA. Because the Baltimore root is at end-of-life, we are in the process of migrating to a new root called DigiCert Global G2. This migration impacts all devices currently connecting to IoT Hub. For more information, see [IoT TLS certificate update](https://aka.ms/iot-ca-updates).
21
+
22
+
Although root CA migrations are rare, for resilience in the modern security landscape you should prepare your IoT scenario for the unlikely event that a root CA is compromised or an emergency root CA migration is necessary. We strongly recommend that all devices trust the following three root CAs:
23
+
24
+
* Baltimore CyberTrust root CA
25
+
* DigiCert Global G2 root CA
26
+
* Microsoft RSA root CA 2017
27
+
28
+
For links to download these certificates, see [Azure Certificate Authority details](../security/fundamentals/azure-CA-details.md).
21
29
22
30
### Elliptic Curve Cryptography (ECC) server TLS certificate (preview)
23
31
24
-
IoT Hub ECC server TLS certificate is available for public preview. While offering similar security to RSA certificates, ECC certificate validation (with ECC-only cipher suites) uses up to 40% less compute, memory, and bandwidth. These savings are important for IoT devices because of their smaller profiles and memory, and to support use cases in network bandwidth limited environments. The ECC server certificate's root is DigiCert Global Root G3.
32
+
IoT Hub ECC server TLS certificate is available for public preview. While offering similar security to RSA certificates, ECC certificate validation (with ECC-only cipher suites) uses up to 40% less compute, memory, and bandwidth. These savings are important for IoT devices because of their smaller profiles and memory, and to support use cases in network bandwidth limited environments.
33
+
34
+
We strongly recommend that all devices using ECC trust the following two root CAs:
35
+
36
+
* DigiCert Global G3 root CA
37
+
* Microsoft RSA root CA 2017
38
+
39
+
For links to download these certificates, see [Azure Certificate Authority details](../security/fundamentals/azure-CA-details.md).
25
40
26
41
To preview IoT Hub's ECC server certificate:
27
42
28
43
1.[Create a new IoT hub with preview mode on](iot-hub-preview-mode.md).
29
44
1.[Configure your client](#tls-configuration-for-sdk-and-iot-edge) to include *only* ECDSA cipher suites and *exclude* any RSA ones. These are the supported cipher suites for the ECC certificate public preview:
30
-
-`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
31
-
-`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
32
-
-`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
33
-
-`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
45
+
*`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
46
+
*`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
47
+
*`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
48
+
*`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
34
49
1. Connect your client to the preview IoT hub.
35
50
36
51
## TLS 1.2 enforcement available in select regions
Copy file name to clipboardExpand all lines: articles/iot-hub/migrate-tls-certificate.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ author: kgremban
7
7
ms.author: kgremban
8
8
ms.service: iot-hub
9
9
ms.topic: how-to
10
-
ms.date: 11/03/2023
10
+
ms.date: 01/05/2024
11
11
---
12
12
13
13
# Migrate IoT Hub resources to a new TLS certificate root
@@ -25,7 +25,7 @@ You should start planning now for the effects of migrating your IoT hubs to the
25
25
26
26
The IoT Hub team began migrating IoT hubs in February, 2023 and the migration is complete except for hubs that have already been approved for a later migration. If your IoT hub is found to be using the Baltimore certificate without an agreement in place with the product team, your hub will be migrated without any further notice.
27
27
28
-
After all IoT hubs have migrated, DPS will perform its migration between January 15 and February 15, 2024.
28
+
After all IoT hubs have migrated, DPS will perform its migration between January 15 and September 30, 2024.
29
29
30
30
For each IoT hub with an extension agreement in place, you can expect the following:
31
31
@@ -45,6 +45,8 @@ To prepare for the migration, take the following steps:
45
45
46
46
It's important to have all three certificates on your devices until the IoT Hub and DPS migrations are complete. Keeping the Baltimore CyberTrust Root ensures that your devices will stay connected until the migration, and adding the DigiCert Global Root G2 ensures that your devices will seamlessly switch over and reconnect after the migration. The Microsoft RSA Root Certificate Authority 2017 helps prevent future disruptions in case the DigiCert Global Root G2 is retired unexpectedly.
47
47
48
+
For more information about IoT Hub's recommended certificate practices, see [TLS support](./iot-hub-tls-support.md).
49
+
48
50
2. Make sure that you aren't pinning any intermediate or leaf certificates, and are using the public roots to perform TLS server validation.
49
51
50
52
IoT Hub and DPS occasionally roll over their intermediate certificate authority (CA). In these instances, your devices will lose connectivity if they explicitly look for an intermediate CA or leaf certificate. However, devices that perform validation using the public roots will continue to connect regardless of any changes to the intermediate CA.
@@ -59,9 +61,9 @@ To know whether an IoT hub has been migrated or not, check the active certificat
59
61
60
62
1. In the [Azure portal](https://portal.azure.com), navigate to your IoT hub.
61
63
62
-
1. Select **Certificates** in the **Security settings** section of the navigation menu.
64
+
1. Select **Export template** in the **Automation** section of the navigation menu.
63
65
64
-
1.If the **Certificate root** is listed as Baltimore CyberTrust, then the hub has not been migrated yet. If it is listed as DigiCert Global G2, then the migration is complete.
66
+
1.Wait for the template to generate, then navigate to the **resources.properties.features** property in the JSON template. If **RootCertificateV2** is listed as a feature, then your hub has been migrated to DigiCert Global G2.
0 commit comments