You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-dps/concepts-x509-attestation.md
+20-8Lines changed: 20 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,7 +19,7 @@ X.509 certificates can be stored in a hardware security module HSM.
19
19
> [!TIP]
20
20
> We strongly recommend using an HSM with devices to securely store secrets, like the X.509 certificate, on your devices in production.
21
21
22
-
## Provision devices with X.509 certificates
22
+
## Understand the X.509 certificate chain
23
23
24
24
Using X.509 certificates as an attestation mechanism is an excellent way to scale production and simplify device provisioning. X.509 certificates are typically arranged in a certificate chain of trust in which each certificate in the chain is signed by the private key of the next higher certificate, and so on, terminating in a self-signed root certificate. This arrangement establishes a delegated chain of trust from the root certificate generated by a trusted certificate authority (CA) down through each intermediate certificate to the final certificate installed on a device. To learn more, see [Device Authentication using X.509 CA Certificates](../iot-hub/iot-hub-x509ca-overview.md).
25
25
@@ -48,13 +48,7 @@ Imagine that Contoso is a large corporation with its own Public Key Infrastructu
48
48
49
49
A *leaf certificate*, or *end-entity certificate*, identifies a certificate holder. It has the root certificate in its certificate chain and zero or more intermediate certificates. A leaf certificate is not used to sign any other certificates. It uniquely identifies a device to the provisioning service and is sometimes referred to as a *device certificate*. During authentication, a device uses the private key associated with its certificate to respond to a proof of possession challenge from the service.
50
50
51
-
Leaf certificates used with [individual enrollment](./concepts-service.md#individual-enrollment) entries must have the subject common name (CN) set to the registration ID. The registration ID identifies the device registration with DPS and must be unique to the DPS instance (ID scope) where the device registers.
52
-
53
-
For [enrollment groups](./concepts-service.md#enrollment-group), the subject common name (CN) sets the device ID that is registered with IoT Hub. The device ID will be shown in the **Registration Records** for the authenticated device in the enrollment group. For individual enrollments, the device ID can be set in the enrollment entry. If it's not set in the enrollment entry, then the subject common name (CN) is used.
54
-
55
-
To learn more, see [Authenticate devices signed with X.509 CA certificates](../iot-hub/iot-hub-x509ca-overview.md#authenticate-devices-signed-with-x509-ca-certificates).
56
-
57
-
## Control device access with X.509 certificates
51
+
## Use X.509 certificates with DPS
58
52
59
53
The provisioning service exposes two enrollment types that you can use to control device access with the X.509 attestation mechanism:
60
54
@@ -67,6 +61,24 @@ A certificate can be specified in only one enrollment entry in your DPS instance
67
61
68
62
When DPS enrollments are configured for X.509 attestation, mutual TLS (mTLS) is supported by DPS.
69
63
64
+
### DPS encryption algorithm requirements
65
+
66
+
The Device Provisioning Service only accepts X.509 certificates that use either the Rivest-Shamir-Adleman (RSA) algorithm or the Elliptic Curve Cryptography (ECC) algorithm for encryption. ECC and RSA provide equivalent levels of encryption strength, but ECC uses a shorter key length.
67
+
68
+
If you use ECC methods to generate X.509 certificates for device attestation, we recommend the following elliptic curves:
69
+
70
+
* nistP256
71
+
* nistP284
72
+
* nistP521
73
+
74
+
### DPS certificate naming requirements
75
+
76
+
Leaf certificates used with [individual enrollment](./concepts-service.md#individual-enrollment) entries must have the subject common name (CN) set to the registration ID. The registration ID identifies the device registration with DPS and must be unique to the DPS instance (ID scope) where the device registers.
77
+
78
+
For [enrollment groups](./concepts-service.md#enrollment-group), the subject common name (CN) sets the device ID that is registered with IoT Hub. The device ID will be shown in the **Registration Records** for the authenticated device in the enrollment group. For individual enrollments, the device ID can be set in the enrollment entry. If it's not set in the enrollment entry, then the subject common name (CN) is used.
79
+
80
+
To learn more, see [Authenticate devices signed with X.509 CA certificates](../iot-hub/iot-hub-x509ca-overview.md#authenticate-devices-signed-with-x509-ca-certificates).
81
+
70
82
### DPS device chain requirements
71
83
72
84
When a device is attempting registration through DPS using an enrollment group, the device must send the certificate chain from the leaf certificate to a [verified certificate](how-to-verify-certificates.md). Otherwise, authentication fails.
0 commit comments