-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Technical Question] Why there is a need of intermediate certificate to provision a device through DPS group enrollments #1795
Comments
@tim Taylor please provide your inputs, as this is one of the deciding factors for our software architecture |
You shouldn't need the intermediate certs here. This is probably just a documentation issue. |
@timtay-microsoft It doesn't work without using the intermediate certificate.The callback |
just use empty LinkedList and it will work |
this one work for me
|
I followed these steps https://learn.microsoft.com/en-us/azure/iot-dps/tutorial-custom-hsm-enrollment-group-x509?tabs=windows&pivots=programming-language-ansi-c#create-an-x509-certificate-chain. I think the cert chain is correct. With your cert I get @timtay-microsoft Do you mean we don't need intermediate cert if we are using DPS group enrollment with intermediate certificate uploaded to DPS as root cert? |
I am provisioning a device through X509 certs and its strange that we need a intermediate cert to be used a signercertificate in the example given here (https://github.com/Azure/azure-iot-sdk-java/blob/main/provisioning/provisioning-device-client-samples/provisioning-X509-sample/readme.md) which mentions
Obtain the certificates following instructions from [X509 Certificate Generator](https://github.com/Azure/azure-iot-sdk-java/tree/main/provisioning/provisioning-tools/provisioning-x509-cert-generator). If you are trying Group Enrollment then you will need to add signerCertificates to the Collection. You can add the signerCertificates in main() just before instantiating SecurityProviderX509Cert: signerCertificates.add("<Your Signer/intermediate Certificate Here>");
Now on the contrary I see this example also which doesn't uses the signerCertificate(Intermediate cert) and provisions a device using DPS group enrollment refer point 7
SecurityProvider securityProviderX509 = new SecurityProviderX509Cert(deviceX509Cert, deviceX509Key, null);
Now my questions are:-
The java sample I'm running works with intermediate certificate used as
signerCertificates
argument in hereSecurityProviderX509Cert(leafPublicCert, leafPrivateKey, signerCertificates)
so my certs are correct and DPS is also correctly configured. But when I pass null insignerCertificates
the registerDevice call timeout and registration callback is never called. Which above example mentioned is correct? And why the second example doesn't work for me.I have used node and c azure it sdk they don't need any intermediate certificate on a device for it to be provisioned to DPS using group enrollment. Why Java SDK needs that?
Also it would not a be a good solution for an Andorid app as that require the intermediatecertificate to be shipped with apk which is a security concern.
The text was updated successfully, but these errors were encountered: