如何使用设备预配服务执行 X.509 CA 证书的所有权证明How to do proof-of-possession for X.509 CA certificates with your Device Provisioning Service

验证的 X.509 证书颁发机构 (CA) 证书是已上传并注册到预配服务,且已在该服务中完成所有权证明的 CA 证书。A verified X.509 Certificate Authority (CA) certificate is a CA certificate that has been uploaded and registered to your provisioning service and has gone through proof-of-possession with the service.

所有权证明涉及以下步骤:Proof-of-possession involves the following steps:

  1. 获取预配服务针对 X.509 CA 证书生成的唯一验证码。Get a unique verification code generated by the provisioning service for your X.509 CA certificate. 可以从 Azure 门户获取此信息。You can do this from the Azure portal.
  2. 使用验证码作为使用者创建 X.509 验证证书,使用与 X.509 CA 证书关联的私钥对该证书进行签名。Create an X.509 verification certificate with the verification code as its subject and sign the certificate with the private key associated with your X.509 CA certificate.
  3. 将签名的验证证书上传到服务。Upload the signed verification certificate to the service. 服务将使用要验证的 CA 证书的公共部分来验证验证证书,从而证明你拥有 CA 证书的私钥。The service validates the verification certificate using the public portion of the CA certificate to be verified, thus proving that you are in possession of the CA certificate's private key.

使用登记组时,验证的证书将发挥重要作用。Verified certificates play an important role when using enrollment groups. 验证证书所有权可以确保证书上传者拥有该证书的私钥,从而提供一个附加的安全层。Verifying certificate ownership provides an additional security layer by ensuring that the uploader of the certificate is in possession of the certificate's private key. 验证可以防止恶意行动者提取中间证书,并使用该证书在其自己的预配服务中创建登记组,从而有效地劫持你的设备,因此,可防止他们探查你的流量。Verification prevents a malicious actor sniffing your traffic from extracting an intermediate certificate and using that certificate to create an enrollment group in their own provisioning service, effectively hijacking your devices. 通过证明证书链中根证书或中间证书的所有权,可以证明你有权针对需要注册为登记组一部分的设备生成叶证书。By proving ownership of the root or an intermediate certificate in a certificate chain, you're proving that you have permission to generate leaf certificates for the devices that will be registering as a part of that enrollment group. 出于此原因,在登记组中配置的根证书或中间证书必须是验证的证书,或者在服务中进行身份验证时,必须滚动更新为设备所代表的证书链中的某个已验证证书。For this reason, the root or intermediate certificate configured in an enrollment group must either be a verified certificate or must roll up to a verified certificate in the certificate chain a device presents when it authenticates with the service. 若要详细了解登记组,请参阅 X.509 证书使用 X.509 证书控制设备对预配服务的访问To learn more about enrollment groups, see X.509 certificates and Controlling device access to the provisioning service with X.509 certificates.

注册 X.509 证书的公共部分并获取验证码Register the public part of an X.509 certificate and get a verification code

若要将 CA 证书注册到预配服务并获取可在所有权证明期间使用的验证码,请遵循以下步骤。To register a CA certificate with your provisioning service and get a verification code that you can use during proof-of-possession, follow these steps.

  1. 在 Azure 门户中导航到预配服务,从左侧菜单打开“证书”。 In the Azure portal, navigate to your provisioning service and open Certificates from the left-hand menu.

  2. 单击“添加”以添加新证书。 Click Add to add a new certificate.

  3. 输入证书的友好显示名称。Enter a friendly display name for your certificate. 浏览到表示 X.509 证书公共部分的 .cer 或 .pem 文件。Browse to the .cer or .pem file that represents the public part of your X.509 certificate. 单击“上载” 。 Click Upload.

  4. 收到已成功上传证书的通知后,单击“保存”。 Once you get a notification that your certificate is successfully uploaded, click Save.

    上传证书

    该证书将显示在“证书资源管理器”列表中。 Your certificate will show in the Certificate Explorer list. 请注意,此证书的“状态”为“未验证”。 Note that the STATUS of this certificate is Unverified.

  5. 单击在上一步骤中添加的证书。Click on the certificate that you added in the previous step.

  6. 在“证书详细信息”中,单击“生成验证码”。 In Certificate Details, click Generate Verification Code.

  7. 预配服务会创建一个可用于验证证书所有权的验证码The provisioning service creates a Verification Code that you can use to validate the certificate ownership. 将此代码复制到剪贴板。Copy the code to your clipboard.

    验证证书

对验证代码进行数字签名,以创建验证证书Digitally sign the verification code to create a verification certificate

现在,需要使用与 X.509 CA 证书关联的、可生成签名的私钥来为验证码签名。Now, you need to sign the Verification Code with the private key associated with your X.509 CA certificate, which generates a signature. 此过程称为所有权证明,最终会生成一个签名的验证证书。This is known as Proof of possession and results in a signed verification certificate.

Microsoft 提供了工具和示例来帮助你创建签名的验证证书:Microsoft provides tools and samples that can help you create a signed verification certificate:

  • Azure IoT 中心 C SDK 提供了 PowerShell (Windows) 和 (Linux) Bash 脚本来帮助你创建用于开发的 CA 证书和叶证书,以及使用验证码执行所有权证明。The Azure IoT Hub C SDK provides PowerShell (Windows) and Bash (Linux) scripts to help you create CA and leaf certificates for development and to perform proof-of-possession using a verification code. 可将系统相关的文件下载到工作文件夹,并遵照管理 CA 证书自述文件中的说明执行 CA 证书的所有权证明。You can download the files relevant to your system to a working folder and follow the instructions in the Managing CA certificates readme to perform proof-of-possession on a CA certificate.
  • Azure IoT 中心 C# SDK 包含组证书验证示例,可用于执行所有权证明。The Azure IoT Hub C# SDK contains the Group Certificate Verification Sample, which you can use to do proof-of-possession.

重要

除了执行所有权证明以外,使用上述 PowerShell 和 Bash 脚本还可创建根证书、中间证书和叶证书用于验证和预配设备。In addition to performing proof-of-possession, the PowerShell and Bash scripts cited previously also allow you to create root certificates, intermediate certificates, and leaf certificates that can be used to authenticate and provision devices. 只能在开发中使用这些证书。These certificates should be used for development only. 切勿将它们用于生产环境。They should never be used in a production environment.

文档和 SDK 中提供的 PowerShell 与 Bash 脚本依赖于 OpenSSLThe PowerShell and Bash scripts provided in the documentation and SDKs rely on OpenSSL. 还可以借助 OpenSSL 或其他第三方工具执行所有权证明。You may also use OpenSSL or other third-party tools to help you do proof-of-possession. 有关 SDK 随附的工具的详细信息,请参阅如何使用 SDK 随附的工具For more information about tooling provided with the SDKs, see How to use tools provided in the SDKs.

上传已签名的验证证书Upload the signed verification certificate

  1. 在门户中将生成的签名作为验证证书上传到预配服务。Upload the resulting signature as a verification certificate to your provisioning service in the portal. 在 Azure 门户上的“证书详细信息”中,使用“验证证书 .pem 或 .cer 文件”字段旁边的“文件资源管理器”图标从系统上传已签名的验证证书。 In Certificate Details on the Azure portal, use the File Explorer icon next to the Verification Certificate .pem or .cer file field to upload the signed verification certificate from your system.

  2. 成功上传证书后,单击“验证”。 Once the certificate is successfully uploaded, click Verify. 在“证书资源管理器”列表中,证书的“状态”会更改为“已验证”。 The STATUS of your certificate changes to Verified in the Certificate Explorer list. 如果状态未自动更新,请单击“刷新”。 Click Refresh if it does not update automatically.

    上传证书验证

后续步骤Next steps