Updated October 23, 2020, 11:15AM PDT**
Updated July 29, 2020, 10:40AM PDT*
The Azure Sphere Security Service is an integral part of Azure Sphere and brokers trust for device-to-cloud communication. When a customer creates a new tenant, the Azure Sphere Security Service issues a tenant certificate authority (CA) certificate to the customer. The tenant CA certificate, in turn, issues device certificates that the device uses to get OS updates and to upload telemetry. Tenant CA certificates have a lifetime of two years, which starts from tenant creation. The Azure Sphere Security Service will automatically renew tenant CAs approximately 90 days prior to expiry. If you use Azure Sphere tenant CA certificates to register in Azure IoT hub, Azure IoT Central, and any other relying party, you must register the new certificate so they recognize and authenticate your devices.
Renewal process
Tenant CA certificates will be automatically renewed. Automated renewal process begins approximately 90 days before the current certificate expires.
Certificate status | Description | What does this mean for you? |
Revoked | An untrusted certificate | This will not be used by the Azure Sphere Security Service |
Active | Current active certificate for the tenant | This tenant CA certificate will issue device certificates |
Inactive |
This state could mean one of the following. The certificate could be:
|
The newly created certificate will become active approximately 45 days after it is created. Register this tenant CA certificate in Azure IoT Hub or IoT Central or any other third-party resources |
What do you need to do?
The newly generated certificate is not automatically re-registered in IoT Hub, IoT Central, or any other third-party resource. First, this new certificate must be downloaded. When downloading the certificate, ensure that the newly generated certificate is downloaded and not the currently active certificate. You can use the thumbprint to verify if you are using the correct certificate.
In Azure IoT hub and Azure IoT Central, registering the certificate involves a few simple steps:
To avoid any interruption in service, you will have 45 days to register the new certificate in Azure IoT Hub, IoT Central, or any other third-party resource before the newly generated certificate becomes the active certificate.
NOTE: These steps require the 20.07 SDK, which is currently scheduled for release on the afternoon of July 29, 2020 (PST). We will update this post with links to documentation once the 20.07 SDK has been released.
Questions:
Q: Will my devices be updated even after the certificate auto renewal?
A: Your tenant CA certificates are auto renewed to ensure that your devices will continue to receive updates and uploading telemetry.
Q: Help! Rollover has happened to new cert, and my devices are now failing to connect to my services, how do I resolve?
A: You can still register the new certificate. The Azure Sphere Security Services may already be using the new certificate. Relying partners such as IoT central or IoT hub will fail to authenticate your device till the new tenant CA certificate is registered with them.
Q: Oh no! My tenant CA certificate has expired, and I didn’t realize I had to register the new certificate? What do I do?
A: Register your new certificate ASAP. The Azure Sphere Security Service will already be using the new certificate. Relying partners such as IoT central or IoT hub will fail to authenticate your device till the new tenant CA certificate is registered with them.
Documentation resources:
**Update on October 23, 2020, 11:15AM PDT: The duration between the certificate creation and the certificate activation has been updated from 30 days to 45 days. Documentation is available and has been updated to reflect this change: Manage the tenant CA certificate.
*Update on July 29, 2020, 10:40AM PDT: A small number of customers trying to verify new tenant certificates on the Linux platform with OpenSSL may experience failures. This is a known issue and a fix will be published shortly. We will update this post with the most current available information. For additional information, please read Known issue: Azure Sphere tenant CA certificate rotation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.