问题
I have to enroll multiple devices in Azure Device provisioning service and I am using group enrollment to achieve the same. I have created a self signed X509 certificate and enrollment group too. I registered a simulated device to the group using the sample code. I want to create another simulated device with same certificate and enroll in group. Is that possible? The input to the sample app is the Id scope of device provisioning service and the certificate. How can I add another device.
if (string.IsNullOrWhiteSpace(s_idScope))
{
Console.WriteLine("ProvisioningDeviceClientX509 <IDScope>");
return 1;
}
X509Certificate2 certificate = LoadProvisioningCertificate();
using (var security = new SecurityProviderX509Certificate(certificate))
{
ProvisioningDeviceClient provClient =
ProvisioningDeviceClient.Create(GlobalDeviceEndpoint, s_idScope, security, transport);
var sample = new ProvisioningDeviceClientSample(provClient, security);
sample.RunSampleAsync().GetAwaiter().GetResult();
}
return 0;
}
private static X509Certificate2 LoadProvisioningCertificate()
{
string certificatePassword = ReadCertificatePassword();
var certificateCollection = new X509Certificate2Collection();
certificateCollection.Import(s_certificateFileName, certificatePassword, X509KeyStorageFlags.UserKeySet);
X509Certificate2 certificate = null;
foreach (X509Certificate2 element in certificateCollection)
{
Console.WriteLine($"Found certificate: {element?.Thumbprint} {element?.Subject}; PrivateKey: {element?.HasPrivateKey}");
if (certificate == null && element.HasPrivateKey)
{
certificate = element;
}
else
{
element.Dispose();
}
}
if (certificate == null)
{
throw new FileNotFoundException($"{s_certificateFileName} did not contain any certificate with a private key.");
}
else
{
Console.WriteLine($"Using certificate {certificate.Thumbprint} {certificate.Subject}");
}
return certificate;
}
private static string ReadCertificatePassword()
{
var password = new StringBuilder();
Console.WriteLine($"Enter the PFX password for {s_certificateFileName}:");
while (true)
{
ConsoleKeyInfo key = Console.ReadKey(true);
if (key.Key == ConsoleKey.Backspace)
{
if (password.Length > 0)
{
password.Remove(password.Length - 1, 1);
Console.Write("\b \b");
}
}
else if (key.Key == ConsoleKey.Enter)
{
Console.WriteLine();
break;
}
else
{
Console.Write('*');
password.Append(key.KeyChar);
}
}
return password.ToString();
}
}
}
回答1:
Client side authentication (X.509 for verifying the party) implemented in Azure needs each end node to have a unique leaf certificate and private key, kind of like a public/private key pair.
This key pair is used to verify that the party is who it is saying it is.
Each end node must possess unique key pair to do so. This key pair is generated from a trusted certificate chain and generated key pair is known as leafs.
Certificate chain can be either CA signed or self-signed (self-signed is only for development/testing purpose, not suitable for production).
In this chain you have a Root certificate from which you generate leafs. You can generate as many leaves as you want within a chain. Each unique leaf can be used as a key pair for each device.
For your case, you can use OpenSSL to generate self-signed root certificate, and then generate as many self-signed leafs for all your devices.
来源:https://stackoverflow.com/questions/53946286/using-same-x509-certificate-for-multiple-devices-in-azure-device-provisioning-se