How to connect Azure IoT Central with X.509 Cert. (W55RP20)

Using W55RP20-EVB-PICO board, checking how to connect to Azure IoT Central with X.509 certification.

COMPONENTS Hardware components

WIZnet - W55RP20-EVB-Pico

x 1

Software Apps and online services

microsoft - Microsoft Azure

x 1

Azure IoT Central

PROJECT DESCRIPTION

Project Description

This is how to connect Azure IoT Central using X.509 certification with W55RP20-EVB-PICO. Easy to describe how to make X.509 certification and how to use it for. To do this project please checking the below link and tools.

https://github.com/WIZnet-ioNIC/WIZnet-PICO-AZURE-C
WSL (Ubuntu) install using OpenSSL to create X.509 certification

Create X.509 certification with OpenSSL

In WSL(Windows Subsystem for Linux), user can install Ubuntu and use OpenSSL. With this configuration, X.509 certification could be created.

MS Azure also guide how to create X.509 certification using OpenSSL.
[MS Guide] Tutorial: Using OpenSSL to create test certificates

1) Root CA setup and creation

Create root certification directory and related folders.

~$ mkdir rootca
~$ cd rootca/
~/rootca$ mkdir certs db private
~/rootca$ touch db/index
~/rootca$ openssl rand -hex 16 > db/serial
~/rootca$ echo 1001 > db/crlnumber
~/rootca$ vi rootca.conf

Fulfill rootca.conf file with the below fields to setup certification information.

In 'req_distinguished_name', user changed own inform in contryName, stateOrProvinceName, localityName

[ req ]
default_bits = 2048
default_keyfile = rootca.key
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
countryName = KR
stateOrProvinceName = Seoul
localityName = Kangnam
organizationName = WIZnet
commonName = W55RP20-EVB-PICO

[ ca ]
default_ca = CA_default

[ CA_default ]
certs = /home/rootca/certs
database = /home/rootca/db/index
new_certs_dir = /home/rootca/certs
certificate = /home/rootca/rootca.crt
private_key = /home/rootca/private/rootca.key
serial = ./db/serial
default_md = sha256
policy = policy_match
default_days = 3650

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ ca_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

After creating rootca.conf, type the next commands to create .csr and .key

~/rootca$ openssl req -new -config rootca.conf -out rootca.csr -keyout private/rootca.key
~/rootca$ openssl ca -selfsign -config rootca.conf -in rootca.csr -out rootca.crt -extensions ca_ext

When the system ask PEM pass, it must be memorized for user. It is very important password to create next cert.

Enter PEM pass phrase:

Finally, rootca.cert created with this message. Type 'y' twice for the process.

2) Sub CA setup and creation

Sub CA is for user certification secure. Directly using Root certification is very risky for the system. Sub CA is created based on Root CA but cannot be know about Root CA information.

To create Sub CA, need to add [sub_ca_ext] field in rootca.conf
Add the below field info into rootca.conf

[ sub_ca_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Sub CA creation process is the same with Root CA

~/rootca$ cd ..
~$ ls
~$ mkdir subca
~$ cd subca/
~/subca$ mkdir certs db private
~/subca$ touch db/index
~/subca$ openssl rand -hex 16 > db/serial
~/subca$ echo 1001 > db/crlnumber
~/subca$ vi subca.conf

Fulfill subca.conf file with the below fields to setup certification information.

In 'req_distinguished_name', user changed own inform in contryName, stateOrProvinceName, localityName

#Please refer rootca.conf file

~/subca$ openssl rand -hex 16 > ../rootca/db/serial
~/subca$ openssl req -new -config subca.conf -out subca.csr -keyout private/subca.key
~/subca$ openssl ca -config ../rootca/rootca.conf -in subca.csr -out subca.crt -extensions sub_ca_ext

Finally, subca.cert created with this message. Type 'y' twice for the process.