|
| 1 | +--- |
| 2 | +title: How to roll X.509 certificates in Azure IoT Hub Device Provisioning Service | Microsoft Docs |
| 3 | +description: How to roll X.509 certificates with your device provisioning service instance |
| 4 | +author: wesmc7777 |
| 5 | +ms.author: wesmc |
| 6 | +ms.date: 08/06/2018 |
| 7 | +ms.topic: conceptual |
| 8 | +ms.service: iot-dps |
| 9 | +services: iot-dps |
| 10 | +manager: timlt |
| 11 | +--- |
| 12 | + |
| 13 | +# How to roll X.509 certificates in your Device Provisioning Service instance |
| 14 | + |
| 15 | +At some point in the lifecycle of your IoT solution, you are going to want to roll the certificates in your system. Two of the main reasons for rolling certificates would be to address a security breach, and to address certificate expirations. |
| 16 | + |
| 17 | +Rolling certificates is a security best-practice to help secure your system in case of a breach. As part of [Assume Breach Methodology](http://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf), Microsoft advocates the need for having reactive security processes in place in addition to preventative measures. Rolling your device certificates should be included as part of these reactive security processes. The frequency with which you roll your certificates depends on the security needs of your solution. Customers with solutions involving higly sensitive data may roll certificate daily, while others roll their certificates every couple years. |
| 18 | + |
| 19 | +Rolling device certificates will involve updating the certificate stored on the device and the IoT hub. Afterwards, the device can re-provision itself with the IoT hub using normal [auto-provisioning](concepts-auto-provisioning.md) with the Device Provisioning Service. |
| 20 | + |
| 21 | +## Rolling the certificate on the device |
| 22 | + |
| 23 | +Certificates on a device should always be stored in a safe place like a [hardware security module (HSM)](concepts-device.md#hardware-security-module). How you roll the certificates on your devices depends on how the certificates were created and installed in the devices in the first place. If you got your certificates from a third party, you must look into how they roll their certificates. The process may be included in your arrangement with them, or it may be a separate service they offer. If you are managing your own device certificates, you will have to build your own pipeline for updating certificates. Make sure both old and new leaf certificates have the same common name (CN) so the device can re-provision without creating a duplicate registration record. |
| 24 | + |
| 25 | +## Rolling the certificate in the IoT hub |
| 26 | + |
| 27 | +The device certificate can be manually added to an IoT hub, or it can be automated using a Device Provisioning Service instance. In this article, we will assume a provisioning service instance is being used to support [auto-provisioning](concepts-auto-provisioning.md). |
| 28 | + |
| 29 | +For auto-provisioning, the easiest way to roll device certificates for an IoT hub is to re-provisioning the device through the Device Provisioning Service instance. During device boot-up, a device contacts the provisioning service. The provisioning service responds by performing an identity check before creating a device identity in an IoT hub using the device’s [leaf certificate](concepts-security.md#end-entity-leaf-certificate) as the credential. The provisioning service then tells the device which IoT hub it is assigned to, and the device then uses its leaf certificate to authenticate and connect. |
| 30 | + |
| 31 | +Once a new leaf certificate has been rolled to the device, it will no longer be able to connect to the IoT hub because it’s attempting to use a new certificate to connect and the IoT hub only recognizes the device with the old certificate. |
| 32 | + |
| 33 | +An possible exception to this would be a scenario where you have created an [Enrollment Group](concepts-service.md#enrollment-group) for your device in the provisioning service. In this case, if you are not rolling the root or intermediate certificates in the device's certificate chain of trust, then the device will be recognized if the new certificate is part of the chain defined in the enrollment group. For all other scenarios, you need to update the enrollment entry for the new certificate. |
| 34 | + |
| 35 | +To update an individual enrollment for the new certificate: |
| 36 | + |
| 37 | +1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to the IoT Hub Device Provisioning Service instance that contains the enrollment entry for your device. |
| 38 | + |
| 39 | +2. Click **Manage enrollments**. |
| 40 | + |
| 41 | +  |
| 42 | + |
| 43 | +3. Click **Individual Enrollments**, and click the device entry in the list. Click **Delete current certificate** and then, click the folder icon to select the new certificate to be uploaded for the enrollment entry. Click **Save**. |
| 44 | + |
| 45 | +  |
| 46 | + |
| 47 | + |
| 48 | +To update a group enrollment for the new certificate: |
| 49 | + |
| 50 | +1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to the IoT Hub Device Provisioning Service instance that contains the enrollment entry for your device. |
| 51 | + |
| 52 | +2. Click **Manage enrollments**. |
| 53 | + |
| 54 | +  |
| 55 | + |
| 56 | + |
| 57 | +3. Click **Enrollment Groups**, and then click the enrollment group in the list. |
| 58 | + |
| 59 | +4. Click **Intermediate Certificate**, and **Delete current certificate**. Click the folder icon to navigate to the new intermediate certificate to be uploaded for the enrollment group. Click **Save**. |
| 60 | + |
| 61 | +  |
| 62 | + |
| 63 | + |
| 64 | +## Device re-provisioning |
| 65 | + |
| 66 | +Once the certificate is rolled on both the device, and the Device Provisioning Service, the device can re-provision itself by contacting the Device Provisioning Service. |
| 67 | + |
| 68 | +One easy way of programming devices to re-provision is to program the device to contact the provisioning service to go through the provisioning flow if the device receives an “unauthorized” error from attempting to connect to the IoT hub. |
| 69 | + |
| 70 | +Another way is for both the old and the new certificates to be valid for a short overlap, and use the IoT hub to send a command to devices to have them re-register via the provisioning service to update their IoT Hub connection information. Because each device can process commands differently, you will have to program your device to know what to do when the command is invoked. There are several ways you can command your device via IoT Hub, and we recommend using [direct methods](iot-hub-devguide-direct-methods.md) or [jobs](iot-hub-devguide-jobs) to initiate the process. |
| 71 | + |
| 72 | +Once re-provisioning is complete, devices will be able to connect to IoT Hub using their new certificates. |
| 73 | + |
| 74 | + |
| 75 | +## Blacklisting certificates |
| 76 | + |
| 77 | +To blacklist a device certificate simply click **disable** on the enrollment entry for the target device/certificate, and click **Save**. |
| 78 | + |
| 79 | + |
| 80 | + |
| 81 | +Once an enrollment entry is disabled, any the device(s) attempting to register with an IoT hub using the certificates configured with the entry will fail. |
| 82 | + |
| 83 | + |
| 84 | + |
| 85 | + |
| 86 | +## Next steps |
| 87 | + |
| 88 | +- To learn more about X.509 certificates in the Device Provisioning Service, see [Security](concepts-securoty.md) |
| 89 | +- To learn about how to do proof-of-possession for X.509 CA certificates with the Azure IoT Hub Device Provisioning Service, see [How to verify certificates](how-to-verify-certificates.md) |
| 90 | +- To learn about how to use the portal to create an enrollment group, see [Managing device enrollments with Azure portal](how-to-manage-enrollments.md). |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | + |
| 96 | + |
| 97 | + |
| 98 | + |
| 99 | + |
| 100 | + |
0 commit comments