在Azure设备配置服务中为多个设备使用相同的X509证书 [英] Using same X509 certificate for multiple devices in Azure device provisioning service
问题描述
我必须在Azure设备配置服务中注册多个设备,并且我正在使用组注册来实现相同的目的.我也创建了一个自签名的X509证书和注册组.我使用示例代码向组注册了一个模拟设备.我想创建另一个具有相同证书的模拟设备,并加入组.那可能吗?样本应用程序的输入是设备供应服务的ID范围和证书.如何添加其他设备.
I have to enroll multiple devices in Azure Device provisioning service and I am using group enrollment to achieve the same. I have created a self signed X509 certificate and enrollment group too. I registered a simulated device to the group using the sample code. I want to create another simulated device with same certificate and enroll in group. Is that possible? The input to the sample app is the Id scope of device provisioning service and the certificate. How can I add another device.
if (string.IsNullOrWhiteSpace(s_idScope))
{
Console.WriteLine("ProvisioningDeviceClientX509 <IDScope>");
return 1;
}
X509Certificate2 certificate = LoadProvisioningCertificate();
using (var security = new SecurityProviderX509Certificate(certificate))
{
ProvisioningDeviceClient provClient =
ProvisioningDeviceClient.Create(GlobalDeviceEndpoint, s_idScope, security, transport);
var sample = new ProvisioningDeviceClientSample(provClient, security);
sample.RunSampleAsync().GetAwaiter().GetResult();
}
return 0;
}
private static X509Certificate2 LoadProvisioningCertificate()
{
string certificatePassword = ReadCertificatePassword();
var certificateCollection = new X509Certificate2Collection();
certificateCollection.Import(s_certificateFileName, certificatePassword, X509KeyStorageFlags.UserKeySet);
X509Certificate2 certificate = null;
foreach (X509Certificate2 element in certificateCollection)
{
Console.WriteLine($"Found certificate: {element?.Thumbprint} {element?.Subject}; PrivateKey: {element?.HasPrivateKey}");
if (certificate == null && element.HasPrivateKey)
{
certificate = element;
}
else
{
element.Dispose();
}
}
if (certificate == null)
{
throw new FileNotFoundException($"{s_certificateFileName} did not contain any certificate with a private key.");
}
else
{
Console.WriteLine($"Using certificate {certificate.Thumbprint} {certificate.Subject}");
}
return certificate;
}
private static string ReadCertificatePassword()
{
var password = new StringBuilder();
Console.WriteLine($"Enter the PFX password for {s_certificateFileName}:");
while (true)
{
ConsoleKeyInfo key = Console.ReadKey(true);
if (key.Key == ConsoleKey.Backspace)
{
if (password.Length > 0)
{
password.Remove(password.Length - 1, 1);
Console.Write("\b \b");
}
}
else if (key.Key == ConsoleKey.Enter)
{
Console.WriteLine();
break;
}
else
{
Console.Write('*');
password.Append(key.KeyChar);
}
}
return password.ToString();
}
}
}
推荐答案
在Azure中实现的客户端身份验证(用于验证方的X.509)需要每个终端节点具有唯一的叶证书和私钥,就像公钥/私钥对.
Client side authentication (X.509 for verifying the party) implemented in Azure needs each end node to have a unique leaf certificate and private key, kind of like a public/private key pair.
此密钥对用于验证对方是谁.
This key pair is used to verify that the party is who it is saying it is.
每个结束节点必须拥有唯一的密钥对.该密钥对是从受信任的证书链生成的,并且生成的密钥对被称为叶子.
Each end node must possess unique key pair to do so. This key pair is generated from a trusted certificate chain and generated key pair is known as leafs.
证书链可以是CA签名的,也可以是自签名的(自签名仅用于开发/测试目的,不适合生产).
Certificate chain can be either CA signed or self-signed (self-signed is only for development/testing purpose, not suitable for production).
在此链中,您具有生成根的根证书.您可以在链中根据需要生成任意数量的叶子.每个唯一的叶子都可以用作每个设备的密钥对.
In this chain you have a Root certificate from which you generate leafs. You can generate as many leaves as you want within a chain. Each unique leaf can be used as a key pair for each device.
对于您的情况,可以使用OpenSSL生成自签名根证书,然后为所有设备生成尽可能多的自签名叶子.
For your case, you can use OpenSSL to generate self-signed root certificate, and then generate as many self-signed leafs for all your devices.
这篇关于在Azure设备配置服务中为多个设备使用相同的X509证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
