1. Prepare IoT Hub and Device for this example
1.1. Developer PC - Generate Device self-signed certificates
[MUST] Please follow up tutorial-x509-self-sign
For your reference, prepare example log as below: Notice! device ID = "W5100S_EVB_PICO_X509"
MINGW64 ~
$ mkdir certi
MINGW64 ~
$ cd certi/
MINGW64 ~/certi
$ openssl genpkey -out device1.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
......................................+++++
.........................................................+++++
MINGW64 ~/certi
$ openssl req -new -key device1.key -out device1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:W5100S_EVB_PICO_X509
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
MINGW64 ~/certi
$ openssl req -text -in device1.csr -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = W5100S_EVB_PICO_X509
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bb:ba:cb:62:7a:ce:ac:4d:ff:88:c7:1a:ad:6a:
b4:6b:83:cc:30:74:94:7b:d2:8c:ed:6f:37:bf:c2:
...
ff:17:35:fb:78:d8:a8:31:04:a6:dd:89:f5:d6:fd:
a2:8e:e2:b3:62:d4:96:f2:9b:80:b5:22:4a:e2:6f:
88:e3
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
7e:de:0e:58:a6:44:c4:a6:76:12:be:a5:e0:80:35:90:ec:cb:
...
73:ca:29:5f:36:d9:cd:1c:1e:34:98:c3:9a:a8:93:ef:28:f4:
a9:45:f9:4e
MINGW64 ~/certi
$ openssl x509 -req -days 365 -in device1.csr -signkey device1.key -out device1.crt
Signature ok
subject=CN = W5100S_EVB_PICO_X509
Getting Private key
MINGW64 ~/certi
$ openssl genpkey -out device2.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
............................................................................................................................+++++
.....+++++
MINGW64 ~/certi
$ openssl req -new -key device2.key -out device2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:W5100S_EVB_PICO_X509
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
MINGW64 ~/certi
$ openssl x509 -req -days 365 -in device2.csr -signkey device2.key -out device2.crt
Signature ok
subject=CN = W5100S_EVB_PICO_X509
Getting Private key
MINGW64 ~/certi
$ openssl x509 -in device1.crt -noout -fingerprint
SHA1 Fingerprint=F3:61:90:1F:B5:76:xx:xx:xx:xx:9B:51:4F:51
MINGW64 ~/certi
$ openssl x509 -in device2.crt -noout -fingerprint
SHA1 Fingerprint=09:75:4F:7F:14:xx:xx:xx:xx:38:8B:D5:0D
MINGW64 ~/certi
$
- Provide the Device ID that matches the subject name of your two certificates. In this example, "W5100S_EVB_PICO_X509"
- Select the X.509 Self-Signed authentication type.
- Paste the hex string thumbprints that you copied from your device primary and secondary certificates. Make sure that the hex strings have no colon delimiters.
1.2. Developer PC - SDK setting
- Get the key value from files (device1.crt, device1.key) as below:
- Edit pico-azure-iot-sdk-c/application/sample_certs.c with generated certificates as upper. Connection string for this example is "HostName=twarelabhub.azure-devices.net;DeviceId=W5100S_EVB_PICO_X509;x509=true"
- Select example in main.c
In the following pico-azure-iot-sdk-c/application/main.c source file, find the line similar to this and replace it as you want:
(...)
// The application you wish to use should be uncommented
//
//#define APP_TELEMETRY
//#define APP_C2D
#define APP_CLI_X509
//#define APP_PROV_X509
(...)
// The application you wish to use DHCP mode should be uncommented
#define _DHCP
static wiz_NetInfo g_net_info =
{
.mac = {0x00, 0x08, 0xDC, 0x12, 0x34, 0x11}, // MAC address
.ip = {192, 168, 3, 111}, // IP address
.sn = {255, 255, 255, 0}, // Subnet Mask
.gw = {192, 168, 3, 1}, // Gateway
.dns = {8, 8, 8, 8}, // DNS server
#ifdef _DHCP
.dhcp = NETINFO_DHCP // DHCP enable/disable
#else
// this example uses static IP
.dhcp = NETINFO_STATIC
#endif
1.3. Developer PC - Build
Run make command
1.4. Developer PC - Serial terminal open
Open "COM" port to see debug code
1.5. Azure portal
Add device in your Azure IoT Hub
Create a device with X.509 Self-Signed
- Copy fingerprint string as desribed 1.1. Developer PC - Generate Device self-signed certificates
Check the device in the "device list"
1.6. Developer PC - Azure IoT Explorer (preview) setting
Click the device name created in the previous section
Go to "Telemetry" menu and click "Start"
Wait for incoming messages
2. Run the example code
2.1. copy main.uf2 file into your Pico board
2.2. Serial terminal log
Connect to Azure IoT Hub and start to verify the device with X.509 authentication
Send messages to Azure IoT Hub
2.3. Azure IoT Explorer (preview) log
You can see the incoming messages from your IoT device