Azure IoT Hub Server TLS Leaf certificate renewal – May 2017

Опубликовано 3 мая, 2017

Principal Program Manager

The following blog contains important information about TLS certificate renewal for Azure IoT Hub endpoints which may impact client connectivity.

As part of the periodic renewal cycle, the Azure IoT Hub leaf certificates used for TLS connection will be renewed starting mid-May 2017. This could potentially impact some clients connecting to the Azure IoT Hub service. This change only impacts Azure IoT Hubs created in public Azure cloud, and not Azure in China nor Azure Germany.

Certificate renewal summary

The table below provides information about the certificate being renewed. Depending on which cert your device or gateway clients use for TLS connection, action may be needed to prevent loss of connectivity.

Cert (002)

Expected behavior

  • Not impacted: Devices connecting to Azure IoT Hub using Azure IoT Device or Gateway SDK, as provided. Using your own connection code that utilizes the root certificate or SDKs using the Operating System's built-in Certificate Store for TLS connection will not be impacted
  • Potentially impacted: Devices using a connection stack other than the connection stack provided in an Azure IoT SDK. Specifically, connection logic that pins the leaf certificate will experience TLS connection failures after the rollover if not updated. Our recommendation is to pin the root certificates as they renew less frequently.

Validation

We recommend validation to mitigate any untoward impact to your IoT infrastructure connecting to Azure IoT Hub. We have setup a test environment for your convenience to try out before we renew the leaf certificate in Azure IoT Hub. The connection string for this test environment is: HostName=playground01.df.azure-devices-int.net;SharedAccessKeyName=owner;SharedAccessKey=0DvHNevPwsDjpMor6eT6aZefKp77Tdo7z2eaFX9kF5I=

A successful TLS connection to the test environment signifies a positive test outcome, and that your infrastructure will work with this change. This connection test string contains an invalid key so once the TLS connection is established, any runtime operations performed against this test IoT Hub will fail. This is by design as the hub exists solely for customers to validate their TLS connection functions. This test environment will be available until all public cloud regions have been updated.

If you have any technical questions on implementing these changes, open a support request with the options below and an engineer will get back to you shortly.

  • Issue Type: Technical
  • Azure Service: Internet of Things/IoT SDKs
  • Problem Type: Security/Authentication
  • Glossary of terms: Root, Intermediate, and Leaf certificates - Types of digital certificates also known as public key or Identity certificates used to manage identity, access, and trust over a network.