[Azure IoT Edge]Secure device certificate and key

Question

I have a software solution for IoT edge i.e. I have a exe and rpm installer that consists of the edge installation. The exe and the rpm will be installed on windows and Linux machine respectively.

I need to secure my edge device cert and private key on the windows and Linux machine, so that if compromised one level of security is at least rather than not having any security.

Possible solutions I was thinking of:-

Fetch a .pfx file from PKI and use that in edge config.toml. I think edge doesn't work with .pfx file and it needs the cert and private key to connect to IoT Hub. Also I didn't see any option in config.toml to mention the passphrase of the pfx file so that edge can decrpyt the pfx file itesef. Please confirm on this understanding is correct or not.

I was thinking to have my custom encryption algorithm to encrypt the cert and private key and decrypt that during the installation process of edge before doing the provisioning. Once provisioning is done by edge device, I will delete the decrypted files. Question on this is - Is it that edge requires the certificate again anytime, as I think the provisioning is done only once and not again and again and cert and private key is meant for provisioning only.

I was thinking to rotate my certs and key every 5 days. I know device will reconnect using the new cert and key but what if someone uses the old cert and key and tries to provision the device. Will that also provision as logically the cert chain of the old cert is same the new one?

Note:- I don't have access to the windows or linux machine as that is of end customer so I don't have an option to save the cert and key file in TPM or HSM

Answer 1

• Azure IOT accepts the certificate type of .pem or .cer file. we can convert with a .pfx file to a .pem or .cer file.

To convert a certificate to CERT:

 $certFilePath = "C:\Path\to\certificate.cer"
 Export-Certificate -Cert $cert -FilePath $certFilePath -Type CERT

• We can use thumbprint Authentication to Azure IoT Edge.

• Sample Code used for Connection of Azure IoT Edge with thumbprint.

static async Task Main(string[] args)
    {
       
        var thumbprint = "F1B818DD16E92042022622AD6777E4030C207E59";

  
        var auth = new DeviceAuthenticationWithX509Certificate("sam", GetCertificateByThumbprint(thumbprint));

   
        var DClnt = DeviceClient.Create("sampath123.azure-devices.net", auth, TransportType.Mqtt);

        try
        {
            var msg = new Message(Encoding.ASCII.GetBytes("Test message"));
            await DClnt.SendEventAsync(msg);
            Console.WriteLine("Message sent successfully!");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Failed to send message: {ex.Message}");
        }
        finally
        {
      
            await DClnt.CloseAsync();
        }
    }

    private static X509Certificate2 GetCertificateByThumbprint(string thumbprint)
    {
        X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly);
        X509Certificate2Collection certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false);
        store.Close();

        if (certCollection.Count == 0)
        {
            throw new Exception($"Certificate with thumbprint '{thumbprint}' not found.");
        }

        return certCollection[0];
    }
}

• After provision of Azure IoT Hub (or) reconnect with the new cert and key. we can use new only.

In Azure to Monitor: