weixin_39995764
weixin_39995764
2020-12-27 16:10

documentation: group enrollment - custom HSM with x509 certs

  • OS and version used: mac OS 10.12.3
  • SDK version used: 1.2.4

Description of the issue:

The existing documentation[1] and samples[2] explains steps on using custom HSM with individual enrolment. But they don't cover group enrolment well for C SDK. Unlike Java or Node.JS SDKs, there are no docs or samples. Closest is this comment[3] in response to GitHub issue. It appears it asks to upload both leaf and intermediate. But it is ambiguous.

I will create root, intermediate and leaf certificates as specified using certGen.sh[4]. But, what should be returned from each of custom_hsm_get_certificate, custom_hsm_get_alias_key and custom_hsm_get_common_name ? Please provide code sample to do group enrolment.

[1] https://docs.microsoft.com/en-us/azure/iot-dps/quick-create-simulated-device-x509 [2] https://github.com/Azure/azure-iot-sdk-c/blob/master/provisioning_client/devdoc/using_custom_hsm.md [3] https://github.com/Azure/azure-iot-sdk-c/issues/437#issuecomment-379410547 [4] https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md#step-2---create-the-certificate-chain

该提问来源于开源项目:Azure/azure-iot-sdk-c

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

7条回答

  • weixin_39995764 weixin_39995764 3月前

    Part of question remains unanswered. 1. What should be returned on custom_hsm_get_common_name for group enrollment. Yes, I can assume that is leaf name. But not specified. 2. Even now no where it is specified what should be certificate format(PEM/DER etc) other than in my earlier Github ticket. Also no where in C SDK it is specified we should limit alphanumeric and hyphens in common name. The lib user will need to read Node.JS SDK docs to get to that point.

    Please imagine what a new developer have to go through to get this working. They are not at lib developers expertise level. The point I want to bring out is, things like these are left unspecified and left to the imagination or common sense of lib user (azure-iot-sdk-c) which shouldn't be the case. Also, regarding functionality, the point of HSM is keys never leave the HSM. That is broken from beginning. Yes, lib user can modify this open source library to make sure keys never leaves HSM. But again, the provisioning service is a paid service. Regarding HSM functionality or C SDK documentation, this provisioning service as of today, is better left in public preview.

    The intention is not to be offensive here. Just letting developers know the thoughts.

    点赞 评论 复制链接分享
  • weixin_39789979 weixin_39789979 3月前

    please provide and example of group enrollment using the C SDK.

    点赞 评论 复制链接分享
  • weixin_39707536 weixin_39707536 3月前
    
    

    We are looking for the same group enrollment code in c SDK. So kindly share some sample codes or the supporting documents as soon as possible.

    点赞 评论 复制链接分享
  • weixin_39735509 weixin_39735509 3月前

    Hi if you are going with root, intermediate and leaf certificates & do Group Enrollment In Azure Portal in DPS in Group Enrollment you can Go with CA or Intermediate & Verify it custom_hsm_get_certificate should contain your Device cert,intermediate cert,CA cert custom_hsm_get_alias_key should contain your Device Private Key custom_hsm_get_common_name should contain Device cert common name

    点赞 评论 复制链接分享
  • weixin_39645019 weixin_39645019 3月前

    Thank you for your comments, I will add some documentation to better describe group enrollments in the C SDK.

    点赞 评论 复制链接分享
  • weixin_39995764 weixin_39995764 3月前

    Even forgetting the documentation, there is neither a source sample nor a simple README.md to do group provisioning (at DEVICE end) with this SDK.

    点赞 评论 复制链接分享
  • weixin_39645019 weixin_39645019 3月前

    From a device perspective Group enrollment & individual enrollment are exactly the same. The device will return the certificate chain the same way and the service makes the determination of how to do group or individual enrollments. I will admit having that above statement in some md file will help.

    点赞 评论 复制链接分享

为你推荐