Merge pull request #216780 from PatAltimore/patricka-cert-path

prmerger-automator[bot] · web-flow · commit f8e4d554d42f · 2022-11-07T20:36:34.000Z
Change cert directory
diff --git a/articles/iot-edge/how-to-connect-downstream-iot-edge-device.md b/articles/iot-edge/how-to-connect-downstream-iot-edge-device.md
@@ -130,7 +130,7 @@ For example, the following commands create a root CA certificate, a parent devic
 
     For more information about creating test certificates, see [create demo certificates to test IoT Edge device features](how-to-create-test-certificates.md). 
 
-01. You'll need to transfer the certificates and keys to each device. You can use a USB drive, a service like [Azure Key Vault](../key-vault/general/overview.md), or with a function like [Secure file copy](https://www.ssh.com/ssh/scp/). Choose one of these methods that best matches your scenario.
+01. You'll need to transfer the certificates and keys to each device. You can use a USB drive, a service like [Azure Key Vault](../key-vault/general/overview.md), or with a function like [Secure file copy](https://www.ssh.com/ssh/scp/). Choose one of these methods that best matches your scenario. Copy the files to the preferred directory for certificates and keys. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.
 
 For more information on installing certificates on a device, see [Manage certificates on an IoT Edge device](how-to-manage-device-certificates.md).
 
@@ -140,22 +140,22 @@ To configure your parent device, open a local or remote command shell.
 
 To enable secure connections, every IoT Edge parent device in a gateway scenario needs to be configured with a unique device CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
 
-01. Transfer the **root CA certificate**, **parent device CA certificate**, and **parent private key** to the parent device. The examples in this article use the directory `/var/secrets` for the certificates and keys directory.
+01. Transfer the **root CA certificate**, **parent device CA certificate**, and **parent private key** to the parent device. The examples in this article use the preferred directory `/var/aziot` for the certificates and keys.
 
 01. Install the **root CA certificate** on the parent IoT Edge device. First, copy the root certificate into the certificate directory and add `.crt` to the end of the file name. Next, update the certificate store on the device using the platform-specific command.
 
     **Debian or Ubuntu:**
 
     ```bash
-    sudo cp /var/secrets/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt
+    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt
 
     sudo update-ca-certificates
     ```
 
     **IoT Edge for Linux on Windows (EFLOW):**
 
     ```bash
-    sudo cp /var/secrets/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt
+    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt
 
     sudo update-ca-trust
     ```
@@ -216,15 +216,15 @@ You should already have IoT Edge installed on your device. If not, follow the st
     device. For example:
 
     ```toml
-    trust_bundle_cert = "file:///var/secrets/azure-iot-test-only.root.ca.cert.pem"
+    trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"
     ```
 
 01. Find or add the **Edge CA certificate** section in the config file. Update the certificate `cert` and private key `pk` parameters with the file URI paths for the certificate and key files on the parent IoT Edge device. IoT Edge requires the certificate and private key to be in text-based privacy-enhanced mail (PEM) format. For example:
 
     ```toml
     [edge_ca]
-    cert = "file:///var/secrets/iot-edge-device-ca-gateway.cert.pem"
-    pk = "file:///var/secrets/iot-edge-device-ca-gateway.key.pem"
+    cert = "file:///var/aziot/certs/iot-edge-device-ca-gateway.cert.pem"
+    pk = "file:///var/aziot/secrets/iot-edge-device-ca-gateway.key.pem"
     ```
 
 01. Verify your IoT Edge device uses the correct version of the IoT Edge agent when it starts. Find the **Default Edge Agent** section and set the image value for IoT Edge to version 1.4. For example:
@@ -238,11 +238,11 @@ You should already have IoT Edge installed on your device. If not, follow the st
 
     ```toml
     hostname = "10.0.0.4"
-    trust_bundle_cert = "file:///var/secrets/azure-iot-test-only.root.ca.cert.pem"
+    trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"
     
     [edge_ca]
-    cert = "file:///var/secrets/iot-edge-device-ca-gateway.cert.pem"
-    pk = "file:///var/secrets/iot-edge-device-ca-gateway.key.pem"
+    cert = "file:///var/aziot/certs/iot-edge-device-ca-gateway.cert.pem"
+    pk = "file:///var/aziot/secrets/iot-edge-device-ca-gateway.key.pem"
     ```
 
 01. Save and close the `config.toml` configuration file. For example if you're using the **nano** editor, select **Ctrl+O** - *Write Out*, **Enter**, and **Ctrl+X** - *Exit*.
@@ -319,22 +319,22 @@ To configure your child device, open a local or remote command shell.
 
 To enable secure connections, every IoT Edge child device in a gateway scenario needs to be configured with a unique device CA certificate and a copy of the root CA certificate shared by all devices in the gateway hierarchy. 
 
-01. Transfer the **root CA certificate**, **child device CA certificate**, and **child private key** to the child device. The examples in this article use the directory `/var/secrets` for the certificates and keys directory.
+01. Transfer the **root CA certificate**, **child device CA certificate**, and **child private key** to the child device. The examples in this article use the directory `/var/aziot` for the certificates and keys directory.
 
 01. Install the **root CA certificate** on the child IoT Edge device. First, copy the root certificate into the certificate directory and add `.crt` to the end of the file name. Next, update the certificate store on the device using the platform-specific command.
 
     **Debian or Ubuntu:**
 
     ```bash
-    sudo cp /var/secrets/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt
+    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt
 
     sudo update-ca-certificates
     ```
 
     **IoT Edge for Linux on Windows (EFLOW):**
 
     ```bash
-    sudo cp /var/secrets/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt
+    sudo cp /var/aziot/certs/azure-iot-test-only.root.ca.cert.pem /etc/pki/ca-trust/source/anchors/azure-iot-test-only.root.ca.cert.pem.crt
 
     sudo update-ca-trust
     ```
@@ -383,15 +383,15 @@ You should already have IoT Edge installed on your device. If not, follow the st
     device. For example:
 
     ```toml
-    trust_bundle_cert = "file:///var/secrets/azure-iot-test-only.root.ca.cert.pem"
+    trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"
     ```
 
 01. Find or add the **Edge CA certificate** section in the configuration file. Update the certificate `cert` and private key `pk` parameters with the file URI paths for the certificate and key files on the IoT Edge child device. IoT Edge requires the certificate and private key to be in text-based privacy-enhanced mail (PEM) format. For example:
 
     ```toml
     [edge_ca]
-    cert = "file:///var/secrets/iot-edge-device-ca-downstream.cert.pem"
-    pk = "file:///var/secrets/iot-edge-device-ca-downstream.key.pem"
+    cert = "file:///var/aziot/certs/iot-edge-device-ca-downstream.cert.pem"
+    pk = "file:///var/aziot/secrets/iot-edge-device-ca-downstream.key.pem"
     ```
 
 01. Verify your IoT Edge device uses the correct version of the IoT Edge agent when it starts. Find the **Default Edge Agent** section and set the image value for IoT Edge to version 1.4. For example:
@@ -405,11 +405,11 @@ You should already have IoT Edge installed on your device. If not, follow the st
 
     ```toml
     parent_hostname = "10.0.0.4"
-    trust_bundle_cert = "file:///var/secrets/azure-iot-test-only.root.ca.cert.pem"
+    trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"
     
     [edge_ca]
-    cert = "file:///var/secrets/iot-edge-device-ca-downstream.cert.pem"
-    pk = "file:///var/secrets/iot-edge-device-ca-downstream.key.pem"
+    cert = "file:///var/aziot/certs/iot-edge-device-ca-downstream.cert.pem"
+    pk = "file:///var/aziot/secrets/iot-edge-device-ca-downstream.key.pem"
     ```
 
 01. Save and close the `config.toml` configuration file. For example if you're using the **nano** editor, select **Ctrl+O** - *Write Out*, **Enter**, and **Ctrl+X** - *Exit*.
diff --git a/articles/iot-edge/how-to-create-transparent-gateway.md b/articles/iot-edge/how-to-create-transparent-gateway.md
@@ -114,12 +114,30 @@ If you don't have your own certificate authority and want to use demo certificat
 
 # [IoT Edge](#tab/iotedge)
 
-If you created the certificates on a different machine, copy them over to your IoT Edge device then proceed with the next steps. You can use a USB drive, a service like [Azure Key Vault](../key-vault/general/overview.md), or with a function like [Secure file copy](https://www.ssh.com/ssh/scp/). Choose one of these methods that best matches your scenario.
+1. If you created the certificates on a different machine, copy them over to your IoT Edge device. You can use a USB drive, a service like [Azure Key Vault](../key-vault/general/overview.md), or with a function like [Secure file copy](https://www.ssh.com/ssh/scp/).
+1. Move the files to the preferred directory for certificates and keys. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.
+1. Change the ownership and permissions of the certificates and keys.
+
+   ```bash
+   sudo chown aziotcs:aziotcs /var/aziot/certs
+   sudo chown -R iotedge /var/aziot/certs
+   sudo chmod 644 /var/aziot/secrets/
+   ```
 
 # [IoT Edge for Linux on Windows](#tab/eflow)
 
 Now, you need to copy the certificates to the Azure IoT Edge for Linux on Windows virtual machine.
 
+1. Copy the certificates to the EFLOW virtual machine to a directory where you have write access. For example, the `/home/iotedge-user` home directory.
+
+   ```powershell
+   # Copy the IoT Edge device CA certificate and key
+   Copy-EflowVMFile -fromFile <path>\certs\iot-edge-device-ca-<cert name>-full-chain.cert.pem -toFile ~/iot-edge-device-ca-<cert name>-full-chain.cert.pem -pushFile
+   Copy-EflowVMFile -fromFile <path>\private\iot-edge-device-ca-<cert name>.key.pem -toFile ~/iot-edge-device-ca-<cert name>.key.pem -pushFile
+
+   # Copy the root CA certificate
+   Copy-EflowVMFile -fromFile <path>\certs\azure-iot-test-only.root.ca.cert.pem -toFile ~/azure-iot-test-only.root.ca.cert.pem -pushFile
+   ```
 1. Open an elevated _PowerShell_ session by starting with **Run as Administrator**.
 
    Connect to the EFLOW virtual machine.
@@ -128,38 +146,33 @@ Now, you need to copy the certificates to the Azure IoT Edge for Linux on Window
    Connect-EflowVm
    ```
 
-1. Create the certificates directory. You can select any writeable directory. For this tutorial, we'll use the _iotedge-user_ home folder.
+1. Create the certificates directory. You should store your certificates and keys to the preferred `/var/aziot` directory. Use `/var/aziot/certs` for certificates and `/var/aziot/secrets` for keys.
 
    ```bash
-   cd ~
-   mkdir certs
-   cd certs
-   mkdir certs
-   mkdir private
+   sudo mkdir -p /var/aziot/certs
+   sudo mkdir -p /var/aziot/secrets
    ```
 
-1. Exit the EFLOW VM connection.
+1. Move the certificates and keys to the preferred `/var/aziot` directory.
 
    ```bash
-   exit
+   # Move the IoT Edge device CA certificate and key to preferred location
+   sudo mv ~/iot-edge-device-ca-<cert name>-full-chain.cert.pem /var/aziot/certs
+   sudo mv ~/iot-edge-device-ca-<cert name>.key.pem /var/aziot/secrets
+   sudo mv ~/azure-iot-test-only.root.ca.cert.pem /var/aziot/certs
    ```
 
-1. Copy the certificates to the EFLOW virtual machine.
+1. Change the ownership and permissions of the certificates and keys.
 
-   ```powershell
-   # Copy the IoT Edge device CA certificates
-   Copy-EflowVMFile -fromFile <path>\certs\iot-edge-device-ca-<cert name>-full-chain.cert.pem -toFile /home/iotedge-user/certs/certs/iot-edge-device-ca-<cert name>-full-chain.cert.pem -pushFile
-   Copy-EflowVMFile -fromFile <path>\private\iot-edge-device-ca-<cert name>.key.pem -toFile /home/iotedge-user/certs/private/iot-edge-device-ca-<cert name>.key.pem -pushFile
-
-   # Copy the root CA certificate
-   Copy-EflowVMFile -fromFile <path>\certs\azure-iot-test-only.root.ca.cert.pem -toFile /home/iotedge-user/certs/certs/azure-iot-test-only.root.ca.cert.pem -pushFile
+   ```bash
+   sudo chown -R iotedge /var/aziot/certs
+   sudo chmod 644 /var/aziot/secrets/iot-edge-device-ca-<cert name>.key.pem
    ```
+ 
+1. Exit the EFLOW VM connection.
 
-1. Invoke the following commands on the EFLOW VM to grant *iotedge* permissions to the certificate files since `Copy-EflowVMFile` copies files with root only access permissions.
-
-   ```powershell
-   Invoke-EflowVmCommand "sudo chown -R iotedge /home/iotedge-user/certs/"
-   Invoke-EflowVmCommand "sudo chmod 0644 /home/iotedge-user/certs/"  
+   ```bash
+   exit
    ```
 
 ----
diff --git a/articles/iot-edge/tutorial-configure-est-server.md b/articles/iot-edge/tutorial-configure-est-server.md
@@ -130,17 +130,17 @@ The Dockerfile uses Ubuntu 18.04, a [Cisco library called `libest`](https://gith
 
 Each device requires the Certificate Authority (CA) certificate that is associated to a device identity certificate.
 
-1. On the IoT Edge device, create the `/var/secrets` directory if it doesn't exist then change directory to it.
+1. On the IoT Edge device, create the `/var/aziot` directory if it doesn't exist then change directory to it.
 
     ```bash
-    # Create the /var/secrets directory if it doesn't exist
-    sudo mkdir /var/secrets
+    # Create the /var/aziot/certs directory if it doesn't exist
+    sudo mkdir -p /var/aziot/certs
 
-    # Change directory to /var/secrets
-    cd /var/secrets
+    # Change directory to /var/aziot/certs
+    cd /var/aziot/certs
     ```
 
-1. Retrieve the CA certificate from the EST server into the `/var/secrets` directory and name it `cacert.crt.pem`.
+1. Retrieve the CA certificate from the EST server into the `/var/aziot/certs` directory and name it `cacert.crt.pem`.
 
     ```bash
     openssl s_client -showcerts -verify 5 -connect localhost:8085 < /dev/null | sudo awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}' && sudo cp cert2.pem cacert.crt.pem
@@ -149,7 +149,7 @@ Each device requires the Certificate Authority (CA) certificate that is associat
 1. Certificates should be owned by the key service user **aziotks**. Set the ownership to **aziotks** for all the certificate files.
 
     ```bash
-    sudo chown aziotks:aziotks /var/secrets/*.pem
+    sudo chown aziotks:aziotks /var/aziot/certs/*.pem
     ```
 
 ## Provision IoT Edge device using DPS
@@ -159,7 +159,7 @@ Using Device Provisioning Service allows you to automatically issue and renew ce
 ### Upload CA certificate to DPS
 
 1. If you don't have a Device Provisioning Service linked to IoT Hub, see [Quickstart: Set up the IoT Hub Device Provisioning Service with the Azure portal](../iot-dps/quick-setup-auto-provision.md).
-1. Transfer the `cacert.crt.pem` file from your device to a computer with access to the Azure portal such as your development computer. An easy way to transfer the certificate is to remotely connect to your device, display the certificate using the command `cat /var/secrets/cacert.crt.pem`, copy the entire output, and paste the contents to a new file on your development computer.
+1. Transfer the `cacert.crt.pem` file from your device to a computer with access to the Azure portal such as your development computer. An easy way to transfer the certificate is to remotely connect to your device, display the certificate using the command `cat /var/aziot/certs/cacert.crt.pem`, copy the entire output, and paste the contents to a new file on your development computer.
 1. In the [Azure portal](https://portal.azure.com), navigate to your instance of IoT Hub Device Provisioning Service.
 1. Under **Settings**, select **Certificates**, then **+Add**.
 
@@ -233,7 +233,7 @@ On the IoT Edge device, update the IoT Edge configuration file to use device cer
     # Optional if the EST server's TLS certificate is already trusted by the system's CA certificates.
     [cert_issuance.est]
         trusted_certs = [
-            "file:///var/secrets/cacert.crt.pem",
+            "file:///var/aziot/certs/cacert.crt.pem",
         ]
 
     # The default username and password for libest
