search

Azure / azure-iot-cli-extension

Azure IoT extension for Azure CLI
Other
82 stars 64 forks source link

How to create new iot hub with new TLS certificate root? #611

Closed joe-agent closed 1 year ago

joe-agent commented 1 year ago

Currently when we create a new iot hub, we need to run an extra command to upgrade the TLS certificate root to v2 like below:

az iot hub device-identity create -n $iotHubName -d my-data > iotDevice.json
az iot hub certificate root-authority set --hub-name $iotHubName --certificate-authority v2 -y

Is it possible to use v2 certificate when we use az iot hub device-identity create? If yes, how?

vilit1 commented 1 year ago

I am assuming you mean az iot hub create with the v2 certificate. If so, we do not currently have a solution for this and would recommend you create a hub and then migrate it to v2. The migration will happen between February 15 and October 15 (as per https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169 and https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=cli#timeline) so this temporary command will be removed once the migration is over. We decided it is not worth adding another optional parameter to the iot hub create experience if it will be temporary.

If you were asking about how to make a device that would have the v2 certificates, please make sure that if the device uses certificate authentication, it supports the Baltimore root certificate. Please read more here: https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=cli#required-steps and https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169

joe-agent commented 1 year ago

@vilit1 thanks for the response.

I am assuming you mean az iot hub create with the v2 certificate.

yes

az iot hub certificate root-authority set --hub-name $iotHubName --certificate-authority v2 -y

After October 15, does the code above fail?

az iot hub device-identity create -n $iotHubName -d my-data > iotDevice.json

After October 15, is the new device created would have v2 certificates based on the code above? If no, could you show an code snippet or example showing how to do so?

vilit1 commented 1 year ago

Regarding your first question, all IoT Hubs are expected to migrate by then (and the root authority certificate would already be v2) so the command will no longer be needed.

For the second question, please read through: https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169 and https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=cli#required-steps

specifically, this describes how your device may be affected.