Azure Sphere tenant CA certificate management: certificate rotation
Published Jul 22 2020 09:00 AM 3,586 Views
Microsoft

Updated October 23, 2020, 11:15AM PDT**

Updated July 29, 2020, 10:40AM PDT*

 

The Azure Sphere Security Service is an integral part of Azure Sphere and brokers trust for device-to-cloud communication. When a customer creates a new tenant, the Azure Sphere Security Service issues a tenant certificate authority (CA) certificate to the customer. The tenant CA certificate, in turn, issues device certificates that the device uses to get OS updates and to upload telemetry. Tenant CA certificates have a lifetime of two years, which starts from tenant creation. The Azure Sphere Security Service will automatically renew tenant CAs approximately 90 days prior to expiry. If you use Azure Sphere tenant CA certificates to register in Azure IoT hub, Azure IoT Central, and any other relying party, you must register the new certificate so they recognize and authenticate your devices.

 

Renewal process

Tenant CA certificates will be automatically renewed. Automated renewal process begins approximately 90 days before the current certificate expires.

  • A new tenant CA certificate is generated within 90 days prior to the expiration of the current active certificate.
    • Approximately 45 days after the creation date of the newly generated CA certificate, it becomes the new active CA certificate and the current active CA certificate becomes inactive and retired. Once a tenant CA certificate has been retired, Azure Sphere device certificates will be issued from the new active CA certificate.
  • Once the new tenant CA certificate is issued, it is ready for download. Using new commands available in the Azure Sphere Developer Command prompt, you can:
    • Download certificates and certificate chains for the current and new certificates
    • Download proof of possession certificates to verify the tenant CA certificate in Azure IoT Central and/or IoT Hub
    • Get a list of available certificates and their details for an Azure Sphere tenant.
  • A tenant CA certificate status will be one of three possible values, listed below along with a brief explanation of what each status means for you:
Certificate status Description What does this mean for you?
Revoked An untrusted certificate This will not be used by the Azure Sphere Security Service
Active Current active certificate for the tenant This tenant CA certificate will issue device certificates
Inactive

This state could mean one of the following. The certificate could be:

  • Newly created certificate if “End Date” displayed by the command or “notAfter” in the certificate is approximately two years in the future
  • Retired certificate if “End Date” displayed by the command or “notAfter” in the certificate is one to 45 days in the future
  • Expired certificate if the “End Date” displayed by the command or “notAfter” in the certificate is in the past
The newly created certificate will become active approximately 45 days after it is created. Register this tenant CA certificate in Azure IoT Hub or IoT Central or any other third-party resources


What do you need to do?

The newly generated certificate is not automatically re-registered in IoT Hub, IoT Central, or any other third-party resource. First, this new certificate must be downloaded. When downloading the certificate, ensure that the newly generated certificate is downloaded and not the currently active certificate. You can use the thumbprint to verify if you are using the correct certificate.

 

In Azure IoT hub and Azure IoT Central, registering the certificate involves a few simple steps:

  • Tenant CA certificate must be first uploaded in the certificates section of IoT Hub or IoT Central.
  • In the enrollments section of IoT Hub or IoT Central, the uploaded certificate can be configured as either the primary or secondary certificate. Do not remove any certificates that have not expired.
  • The proof of possession certificate can be downloaded using the verification code generated by IoT Hub or IoT Central. Proof of possession certificate must then be uploaded in IoT Hub or IoT Central to complete the certificate registration process.

To avoid any interruption in service, you will have 45 days to register the new certificate in Azure IoT Hub, IoT Central, or any other third-party resource before the newly generated certificate becomes the active certificate.

 

NOTE: These steps require the 20.07 SDK, which is currently scheduled for release on the afternoon of July 29, 2020 (PST). We will update this post with links to documentation once the 20.07 SDK has been released.

 

Questions:

Q: Will my devices be updated even after the certificate auto renewal?

A: Your tenant CA certificates are auto renewed to ensure that your devices will continue to receive updates and uploading telemetry.

Q: Help! Rollover has happened to new cert, and my devices are now failing to connect to my services, how do I resolve?

A: You can still register the new certificate. The Azure Sphere Security Services may already be using the new certificate. Relying partners such as IoT central or IoT hub will fail to authenticate your device till the new tenant CA certificate is registered with them.

Q: Oh no! My tenant CA certificate has expired, and I didn’t realize I had to register the new certificate? What do I do?

A: Register your new certificate ASAP. The Azure Sphere Security Service will already be using the new certificate. Relying partners such as IoT central or IoT hub will fail to authenticate your device till the new tenant CA certificate is registered with them.

 

Documentation resources:

**Update on October 23, 2020, 11:15AM PDT:  The duration between the certificate creation and the certificate activation has been updated from 30 days to 45 days. Documentation is available and has been updated to reflect this change: Manage the tenant CA certificate.

 

*Update on July 29, 2020, 10:40AM PDT:  A small number of customers trying to verify new tenant certificates on the Linux platform with OpenSSL may experience failures. This is a known issue and a fix will be published shortly. We will update this post with the most current available information. For additional information, please read Known issue: Azure Sphere tenant CA certificate rotation.

2 Comments
Version history
Last update:
‎Oct 23 2020 11:15 AM
Updated by: