Skip to content

Latest commit

 

History

History
195 lines (142 loc) · 4.32 KB

File metadata and controls

195 lines (142 loc) · 4.32 KB

Azure IoT Edge self-signed Root CA with DPS

To provision an IoT Edge device with self-signed Root CA, it is required to use DPS.

Create the IoT Hub:

# IoT Hub
az group create --name IoTEdgeResources --location westus2
az iot hub create --resource-group IoTEdgeResources --name iothub789 --sku F1 --partition-count 2 --mintls "1.2"

# Upgrade the root to V2 if required
az iot hub certificate root-authority set --hub-name iothub789 --certificate-authority v2

Create the DPS:

# Create the DPS
az iot dps create -n dps789 -g IoTEdgeResources -l westus2

# Link with the IoT Hub
hubConnectionString=$(az iot hub connection-string show -n iothub789 --kt primary --query connectionString -o tsv)
az iot dps linked-hub create --dps-name dps789 --resource-group IoTEdgeResources --connection-string $hubConnectionString

# Verify
az iot dps show -n dps789

Generate the certificates:

mkdir wrkdir
cd wrkdir

# Download the raw files for testing
curl "https://raw.githubusercontent.com/Azure/iotedge/main/tools/CACertificates/certGen.sh" --output certGen.sh
curl "https://raw.githubusercontent.com/Azure/iotedge/main/tools/CACertificates/openssl_root_ca.cnf" --output openssl_root_ca.cnf

# Root
sudo bash certGen.sh create_root_and_intermediate

# IoT Edge
sudo bash certGen.sh create_edge_device_identity_certificate EdgeDevice

Upload the root CA certificate to DPS:

az iot dps certificate create -n "Test-Only-Root" --dps-name dps789 -g IoTEdgeResources -p certs/azure-iot-test-only.root.ca.cert.pem -v true

Create the enrollment group:

az iot dps enrollment-group create -n dps789 -g IoTEdgeResources\
    --root-ca-name "Test-Only-Root" \
    --secondary-root-ca-name "Test-Only-Root" \
    --enrollment-id "EdgeDevicesGroup" \
    --provisioning-status "enabled" \
    --reprovision-policy "reprovisionandmigratedata" \
    --iot-hubs "iothub789.azure-devices.net" \
    --allocation-policy "hashed" \
    --edge-enabled true \
    --tags '{ "Environment": "Staging" }' \
    --props '{ "Debug": "false" }'

Create the Iot Edge (Ubuntu Server):

az vm create \
  --resource-group IoTEdgeResources \
  --name vmiotedge \
  --image Ubuntu2204 \
  --admin-username azureuser \
  --public-ip-sku Standard

Connect to the VM:

ssh azureuser@<public-ip>

Update the packages:

sudo apt update
sudo apt upgrade -y

Restart the VM and connect again:

az vm restart -n vmiotedge -g IoTEdgeResources

Add Microsoft packages:

sudo wget https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo rm packages-microsoft-prod.deb

Install Docker:

sudo apt-get update; \
  sudo apt-get install moby-engine

Create /etc/docker/daemon.json and add:

{
  "log-driver": "local"
}

Then restart:

sudo systemctl restart docker
sudo systemctl status docker

Install the Edge runtime:

sudo apt-get update; \
   sudo apt-get install aziot-edge

Copy the certificates:

sudo mkdir /var/secrets
sudo mkdir /var/secrets/aziot
sudo mv edgedevice.full-chain.cert.pem /var/secrets/aziot/
sudo mv edgedevice.key.pem /var/secrets/aziot/

Create the configuration file:

sudo cp /etc/aziot/config.toml.edge.template /etc/aziot/config.toml

Set the configuration:

sudo vim /etc/aziot/config.toml

Edit the provisioning section. You'll need to change the id_scope value:

# DPS provisioning with X.509 certificate
[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net"
id_scope = "SCOPE_ID_HERE"

[provisioning.attestation]
method = "x509"
registration_id = "EdgeDevice"

identity_cert = "file:///var/secrets/aziot/edgedevice.full-chain.cert.pem"

identity_pk = "file:///var/secrets/aziot/edgedevice.key.pem"

Apply the config:

sudo iotedge config apply

Run the verification commands:

sudo iotedge system status
sudo iotedge system logs
sudo iotedge check

Using the Portal, add a marketplace Edge module, then check again:

sudo iotedge list