Azure IoT TLS: Changes are coming! (…and why you should care)

@RAMIoT 

How will these change affect Microsoft Azure Sphere and Windows IOT Core devices?  Will those devices be automatically be updated with firmware/OS updates pushed out by Microsoft, assuming they have network connectivity back to the public internet?   

Azure Sphere utilizes the certificate provided in the Azure IoT C SDK that runs on Sphere. Since the SDK has the Baltimore root, this change should not impact default configurations of the Azure IoT C SDK on Sphere. However, if there have been intentional changes to include extra validation of ICAs or leaf certificates, some changes may be needed per the blog. 

For Windows IoT, the cert store has the existing Baltimore root already. This is not changing. Of course, if there is code that performs extra validation of ICAs or leaf certificates, or if these have been pinned, then some changes may be needed. 

@RAMIoT 

What if we use only self-signed certificates with device SDK without pinned the Baltimore root CA explicitly, is it required any actions?

@marusyk 

I believe the flow you're talking about is for device authentication by the hub - devices can be provisioned with self signed certificates whose thumbprints are uploaded to hub so that hub can authenticate them. This flow is unchanged. 

What's changing is the way the device authenticates the service through TLS. The server (IoT Hub or DPS) will present a SSL certificate rooted to Baltimore with different intermediate CAs starting Oct 5th. If you are using the default C device SDK, the Baltimore root is pinned, and you should be okay. If you have performed any extra validation against any certificate that is not the Baltimore root, you may need to update that code. 

Hope this helps! 

@RAMIoT 

We are using self signed certificate to provision devices into iot hub. Our Device is provisioning to IoT Hub via Azure DPS. We had Azure Device SDK on Device which connect to DPS using global endpoint "global.azure-devices-provisioning.net", ID Scope, and device certificates X.509 (Created using Self Signed Certificate). Once Device is provisioned on Azure IoT Hub using DPS, device will start communicating to IoT hub using device certificates X.509 and Device ID. We hadn't pinned certificates on device.

Does is there any impact based on above implementation approach?

We also tried to connect to DPS using test environment provided by Azure in this blog. We used our existing device valid certificates which are chaining to self signed root certificate and try to connect with below endpoints. But we are getting error code 401002. Below is the response which we got.

• Azure Test Environment
  • Global Service Endpoint: global-canary.azure-devices-provisioning.net
  • ID SCOPE: 0ne0017FD54

What steps we need to follow to prevent disconnection of devices from azure?

Thanks,

Rajan

Hi @rajanpatel,

The flow you're referring to is how IoT Hub authenticates devices; there are 3 methods - Symmetric Key, X.509 self signed, and X.509 CA. These flows are not impacted. The TLS Server Certificates of Hub and DPS are changing and hence impacted. This means that when establishing a TLS connection with the IoT Hub or global DPS endpoint, the device must validate the server by looking up at the root chain and validating that the root certificate (in this case 'Baltimore Cyber Trust Root') is indeed a trusted CA on the device. 

The error you are receiving is because the test DPS instance does not have your device enrolled. If you'd like to test that, please open a support ticket as described in the Support section above, and our support team will be happy to enroll your device and allow you to perform an end to end test. If you're able to independently test that you're able to establish a TLS connection using wireshark then that's the only validation required. Hope this helps! :)

I am using IoT DPS and IoT Hub from Linux VM + IoT Python SDK. My understanding is that I am not impacted based on input which you provided:

"If your devices depend on the operating system certificate store for getting these roots or use the device/gateway SDKs as provided, then no action is required."

In addition I did following test with curl:

[admin@node01 ~]$ curl -v https://global-canary.azure-devices-provisioning.net:8883
* About to connect() to global-canary.azure-devices-provisioning.net port 8883 (#0)
*   Trying 52.225.179.220...
* Connected to global-canary.azure-devices-provisioning.net (52.225.179.220) port 8883 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.azure-devices-provisioning.net
*       start date: Sep 08 21:29:05 2020 GMT
*       expire date: Sep 08 21:29:05 2021 GMT
*       common name: *.azure-devices-provisioning.net
*       issuer: CN=Microsoft RSA TLS CA 01,O=Microsoft Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: global-canary.azure-devices-provisioning.net:8883
> Accept: */*
>
* Empty reply from server
* Connection #0 to host global-canary.azure-devices-provisioning.net left intact
curl: (52) NSS: client certificate not found (nickname not specified)
[admin@node01 ~]$ curl -v https://sdk-cert-test.azure-devices.net:8883
* About to connect() to sdk-cert-test.azure-devices.net port 8883 (#0)
*   Trying 52.180.177.125...
* Connected to sdk-cert-test.azure-devices.net (52.180.177.125) port 8883 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=*.azure-devices.net
*       start date: Sep 10 21:15:38 2020 GMT
*       expire date: Sep 10 21:15:38 2021 GMT
*       common name: *.azure-devices.net
*       issuer: CN=Microsoft RSA TLS CA 01,O=Microsoft Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sdk-cert-test.azure-devices.net:8883
> Accept: */*
>
* Empty reply from server
* Connection #0 to host sdk-cert-test.azure-devices.net left intact
curl: (52) NSS: client certificate not found (nickname not specified)
[admin@node01 ~]$

In case of issues with validation of the server certificate, curl reports it and "-k, --insecure" option is needed to skip validation of the server cert.

Does the above test confirm that I will not be impacted?

Thanks,

Leszek

@Leszek_W yes, you should not be impacted. Please let us know if you face any issues! :)

@RAMIoT We have devices connected to IoT Hub using symmetric keys and the primary connection string. Our device is running the Java IoT Hub SDK and utilizes MQTT over WebSockets for connection. On some sites we are now facing an issue where the devices are no longer able to connect. After analyzing the logs, we see an exception happening when calling DeviceClient.open. The underlying error is CertPathValidatorException (Trust anchor for certification path not found). Any idea what could be the cause?

@norberg could you open a support request and include when you started noticing this issue? If this was a recent issue, then it likely has nothing to do with the intermediate CA rollover. We'd have to know more to ascertain cause. 

Please include these parameters:

• Issue Type: Technical
• Service: IoT SDKs
• Summary: TLS Baltimore upgrade question
• Problem type: Connectivity
• Problem subtype: Unable to connect

@RAMIoT we found the issue. It was caused by Zscaler SSL Inspection tool that is replacing the Baltimore certificate with their own certificate to allow them to inspect SSL traffic. Since our device doesn't have Zscaler certificate as a trusted root, it was failing the certificate chain validation. The customer added exclusions on our devices and everything started to work fine.

I have some issue registering the device with the dps over mqtt as well as REST, failed to register the device. Any help here?

Followed the procedure to load the root certificate and verified as well. Doing Group enrolment.

Thanks,

Pradeep

MQTT

mosquitto_pub -d --cafile /home/ubuntu/RND/edge/azure-connect/certs/BaltimoreCyberTrustRoot.crt.pem --cert /home/ubuntu/RND/edge/azure-connect/local/myiotdevice.crt --key /home/ubuntu/RND/edge/azure-connect/local/myiotdevice.key -d -h MyDemoDPS.azure-devices-provisioning.net -p 8883 -t $dps/registrations/PUT/iotdps-register/?$rid=1 -m "{\"registrationId\":\"myiotdevice\"}

Getting below error

Client mosq-Gd5s19yNghmGPQeBja sending CONNECT
Client mosq-Gd5s19yNghmGPQeBja received CONNACK (5)
Connection error: Connection Refused: not authorised.
Client mosq-Gd5s19yNghmGPQeBja sending DISCONNECT

Tried the same with the REST APIs, with curl 

curl -v -L -i -X PUT -cert /home/ubuntu/RND/edge/azure-connect/local/myiotdevice.crt -key ./myiotdevice.key -H 'Content-Type:application/json' -H 'Content-Encoding:utf-8' -d '{"registrationId":"myiotdevice"}' https://global.azure-devices-provisioning.net/0ne00211966/registrations/myiotdevice/register?api-ver... --tlsv1.2
* Closing connection -1
curl: (3) URL using bad/illegal format or missing URL
* Could not resolve host: .
* Closing connection 0
curl: (6) Could not resolve host: .
* Trying 52.163.212.39:443...
* TCP_NODELAY set
* Connected to global.azure-devices-provisioning.net (52.163.212.39) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.azure-devices-provisioning.net
* start date: Oct 30 17:29:27 2020 GMT
* expire date: Oct 30 17:29:27 2021 GMT
* issuer: C=US; O=Microsoft Corporation; CN=Microsoft RSA TLS CA 01
* SSL certificate verify ok.
> PUT /0ne00211966/registrations/myiotdevice/register?api-version=2019-03-31 HTTP/1.1
> Host: global.azure-devices-provisioning.net
> User-Agent: curl/7.68.0
> Accept: */*
> Referer: y
> Content-Type:application/json
> Content-Encoding:utf-8
> Content-Length: 32
>
* upload completely sent off: 32 out of 32 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< Date: Sat, 30 Jan 2021 13:22:20 GMT
Date: Sat, 30 Jan 2021 13:22:20 GMT
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< x-ms-request-id: b90fa549-791f-4d41-aaa9-ba315739b546
x-ms-request-id: b90fa549-791f-4d41-aaa9-ba315739b546
< Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains

<
* Connection #1 to host global.azure-devices-provisioning.net left intact
{"errorCode":401002,"trackingId":"b90fa549-791f-4d41-aaa9-ba315739b546","message":"Unauthorized","timestampUtc":"2021-01-30T13:22:21.691564Z"}

Hi @PradeepKiruvalue , I see you posted the question on StackOverflow as well and Steve proposed an answer there. 

Thats right Olivier, Still the issue dint get resolved. Any suggestion will be helpful here.

It seems it is resolved on SO now, right?

Hi, Do we need to do any action on the Azure service sdk? I'm using nodejs stack.

Is it something we need to use a particular update version of the sdk which supports the new root certs or are we good wit any azure service sdk version to be used?

Hi, 

We are using Azure IoT Hub service on our IoT device with self signed device certificate(even though this is irrelevant) and we are not using the Azure IoT SDK, we have our own trustore, not using the OS provided trustore, in our trustore we have Baltimore CyberTrust Root having Thumbprint: d4de20d05e66fc53fe1a50882c78db2852cae474 and Expiration: Monday, May 12, 2025, 4:59:00 PM, we are not using any intermediate certificate for the TLS communication.

As I can understand there is no impact currently but my worry is, what happens once the Baltimore CyberTrust Root get expired on Monday, May 12, 2025, 4:59:00 PM? what is the future plan? which will be the new ROOT CA?.

As mentioned/recommended in the post, we have to use additional below mentioned ROOT CA's in IoT devices

1. Microsoft RSA Root Certificate Authority 2017
   (Thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)
2. Digicert Global Root G2
   (Thumbprint: df3c24f9bfd666761b268073fe06d1cc8d4f82a4)

What is the guarantee that post Baltimore CyberTrust Root expiration, new server certificate issued on Azure IoT Hub is either one from above mentioned ROOT CA's.

Our IoT devices are expected to be operational beyond 2025 and we can not replace or add new ROOT CA's in our device by physically or remotely. Post Baltimore CyberTrust Root expiration in case IoT Hub server certificate is issued by some other ROOT CA then our device will become non operational.

Kindly suggest the best way to address this issue.

Currently do we have any provision to use the server certificate issued by our own private KMS/self signed on the Azure IoT Hub service?

Thank you!

@RAMIoT I am trying to test the new certificates with IoT Hub you listed, but failed to resolve the host name "sdk-cert-test.azure-devices.net", could you check if this iot hub still works? Thanks.

• Connection String: HostName=sdk-cert-test.azure-devices.net;DeviceId=InvalidDevice1;SharedAccessKey=4aWn2y3hEEmLyWmvixeVl69SFzzSwXKwzkGDHsCaSZo=

Hello @RAMIoT ,

Will these certificate changes require changing to a new IoT Hub instance or can our devices continue using the same hub?  I have equipped our new devices with the recommended certificates but have not (yet) implemented a DPS client on the devices so they cannot be assigned to a new hub once they are out in the field.

Thank you for your assistance.

@Arty29 No you will not need a new hub. Your existing Hub will begin serving a certificate that is rooted to the new root (DigiCert Global G2 Root) after the migration. 

@rameshkhot The new root will be DigiCert Global G2, after which Microsoft may decide to migration to a native MSFT root as mentioned. There is no 'guarantee' per se since the world of public PKIs is mired with compliance, regulatory, and security related issues that can mandate sudden change. The only way to be future proofed in a public PKI world is to have a robust update mechanism. IoT Hub is indeed working on a feature that will allow you to use your own custom endpoint protected with whatever cert/chain you wish, but that is not going to land in time for you to take advantage of for this specific migration. Please don't hesitate in opening a support request if you need additional help. 

@all, please review the new and updated blog for this migration with the latest updates here.