AjayBathini-MSFT
commented
1 year ago @epomatti Thanks for your feedback! We will investigate and update as appropriate.
Closed epomatti closed 12 months ago
AjayBathini-MSFT
commented
1 year ago @epomatti Thanks for your feedback! We will investigate and update as appropriate.
LeelaRajesh-Sayana
commented
1 year ago Hi @epomatti, Greetings! Thank you for posting this question. Even though you are uploading root CA to the IoT Hub, and the certificate is verified, since it is self-signed and not provided by any certified CA, the device registration still shows it as self-signed X509 certificate.
I agree that the paraphrasing "When devices present their X.509 certificate for authentication, IoT Hub checks that it belongs to a chain of trust signed by the same root CA certificate." leads to confusion.
I am assigning this case to our content SME to take appropriate action as needed.
Hi @PatAltimore, please review the X.509 CA-signed authentication statement under the section Register device with IoT Hub. It implies that after we upload root CA (does not specify whether the certificate is CA signed or self-signed) and validate it, the device provisioned using the corresponding intermediate certificate falls under CA signed.
Can we update the document to make sure that the root CA has to be CA signed to avoid confusion?
Thank you.
epomatti
commented
1 year ago @LeelaRajesh-Sayana, this part of your answer:
since it is self-signed and not provided by any certified CA
Self-signed X509 Certificate in the Portal I immediately thing of the device and how it was authenticated, and not if the CA derives from trusted PKI provider that IoT Hub trusts. The 'device' authentication type should read CA-Signed, it was how I provisioned it. Maybe create an additional column that displays information relative to the CA.I find this classification in the portal to be confusing.
kgremban
commented
1 year ago 
theob7
commented
1 year ago Hello,
Any update on this issue ? My devices provisioned with DPS always display "x509 self-signed" instead of "certificate authority". Everything works with manually created devices directly on IoT Hub.
Thank you,
kgremban
commented
12 months ago @epomatti @theob7 Thank you for your patience. I finally got an answer on why IoT Hub reports DPS-registered X.509 devices as 'self-signed'.
In short, this is expected behavior. Even though you have uploaded the CA certificate to DPS, that isn't passed on to your hub when the device is registered. DPS registers the device to your hub by creating a device record with the thumbprint of the device’s certificate in Hub. So from the perspective of the hub, the authentication type is self-signed X.509.
Does that clear this up for you?
epomatti
commented
12 months ago @kgremban I wish there could be a way, perhaps not architecturally but at least visually, where there would be no confusion when managing devices in this specific scenario. Specifically, when I see "Self-Signed" I don't have to stop and think what it is or explain to a auditing/security department. That would be great.
Following the tutorial I've registered the device using DPS with a X509 signed by the intermediate CA, for which the root CA is uploaded and verified in the DPS.
However, in IoT Hub my devices are displayed as
Self-signed X509 Certificate. Tried uploading the root CA to the IoT Hub, as well as for the DPS, but no changes.I've found this answer but I don't understand why this is the case.
The documentation is clear in which CA-signed should be the case for devices verified by a root CA uploaded to IoT Hub.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.