In this section, you will learn how to create a self-signed X.509 certificate for a device. It is essential to consider the following points:
- Self-signed certificates are for testing only and cannot be used in production.
- The default expiration date for a self-signed certificate is one year.
Prerequisites
OpenSSL on a computer running Windows or Linux.
While there could be other tools available for certificate management, this tutorial uses OpenSSL. You can find OpenSSL bundled with many Linux distributions, such as Ubuntu.
Below are the steps that need to followed to generate the self-signed certificate.
- Obtain CN Name
- Generate root self-signed certificate
- Generate device private key
- Generate Device CSR
- Generate device/leaf certificate
- Get thumbprint
1. Obtain CN Name
First let’s understand what is Device Identity. Device identity is the name which is registered on Azure IoTHub for your device, it can be combination of Device UniqieID and your CPID, in some case on IoTConnect account Device Identity will not have CPID and it’s depends on Device Prefix setting of your IoTConnect account. If the value of Device Prefix is True then your Device Identity will be {CPID}-{UNIQUEID} and if value of Device Prefix is False then Device Identity will be just UNIQNUEID. Azure IoTHub allows 128 char name to Device Identity. Now CN Name must be matching with Device Identity and as per the standard of X509 CN name convention it must be of 64 char long. Bellow table will help you to identify your Device CN Name
| Device Prefix | Device UniqueID | CPID | Device CN (64 Char) |
| True | Demo001 | DemoCompany | DemoCompany-Demo001 |
| False | Demo001 | DemoCompany | Demo001 |
Device Prefix can be found form Key Vault of your IoTConnect Account
2. Generate root self-signed certificate
Generate a self-signed private key for root certificate named “rootSelf.key”.
openssl genrsa -out rootSelf.key 2048
Generate a self-signed certificate using a private key named “rootSelf.pem”.
openssl req -x509 -new -nodes -key rootSelf.key -days 365 -out rootSelf.pem
Note – It will ask for Country Code, State, CN etc. OR you can use below command and can provide those information inline.
openssl req -x509 -new -nodes -key rootSelf.key -days 365 -out rootSelf.pem -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=IotHub test certificate"
3. Generate device private key
Generate device private key named “device.key”.
openssl genrsa -out device.key 2048
4. Generate Device CSR
Generate device CSR named “device.csr”.
openssl req -new -key device.key -out device.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=CPID-UNIQUEID"
5. Generate device/leaf certificate
To generate a device certificate using a device signing request certificate, root-self certificate, and root-self key file. It will generate “device.crt” with 365 days expiry.
openssl x509 -req -in device.csr
-CA rootSelf.pem
-CAkey rootSelf.key
-CAcreateserial -out device.crt -days 365"
//To convert crt file to pem file
openssl x509 -in device.crt -out device.pem
6. Get thumbprint
Use the following command to get thumbprint.
openssl x509 -noout -fingerprint -sha1 -inform pem -in