创建演示证书用于测试 IoT Edge 设备功能Create demo certificates to test IoT Edge device features

IoT Edge 设备需要使用证书来保护运行时、模块和任何下游设备之间的通信。IoT Edge devices require certificates for secure communication between the runtime, the modules, and any downstream devices. 如果你没有可创建所需证书的证书颁发机构,可以在测试环境中使用演示证书来试用 IoT Edge 功能。If you don't have a certificate authority to create the required certificates, you can use demo certificates to try out IoT Edge features in your test environment. 本文介绍 IoT Edge 提供用于测试的证书生成脚本的功能。This article describes the functionality of the certificate generation scripts that IoT Edge provides for testing.

这些证书将在 30 天后过期,不应在任何生产方案中使用。These certificates expire in 30 days, and should not be used in any production scenario.

可以在任何计算机上创建证书,然后将其复制到 IoT Edge 设备。You can create certificates on any machine, and then copy them over to your IoT Edge device. 使用主计算机创建证书比在 IoT Edge 设备本身上生成证书要方便一些。It's easier to use your primary machine to create the certificates rather than generating them on your IoT Edge device itself. 使用主计算机可以设置脚本一次,然后使用这些脚本为多个设备创建证书。By using your primary machine, you can set up the scripts once and then use them to create certificates for multiple devices.

按照以下步骤创建用于测试 IoT Edge 方案的演示证书:Follow these steps to create demo certificates for testing your IoT Edge scenario:

  1. 设置脚本,以便在设备上生成证书。Set up scripts for certificate generation on your device.
  2. 创建根 CA 证书,用于签署适用于方案的所有其他证书。Create the root CA certificate that you use to sign all the other certificates for your scenario.
  3. 针对要测试的方案生成所需的证书:Generate the certificates you need for the scenario you want to test:

先决条件Prerequisites

装有 Git 的开发计算机。A development machine with Git installed.

设置脚本Set up scripts

GitHub 上的 IoT Edge 存储库包含可用于创建演示证书的证书生成脚本。The IoT Edge repository on GitHub includes certificate generation scripts that you can use to create demo certificates. 本部分说明如何准备好可在 Windows 或 Linux 计算机上运行的脚本。This section provides instructions for preparing the scripts to run on your computer, either on Windows or Linux. 如果使用的是 Linux 计算机,请跳到在 Linux 上进行设置If you're on a Linux machine, skip ahead to Set up on Linux.

在 Windows 上进行设置Set up on Windows

若要在 Windows 设备上创建演示证书,需要安装 OpenSSL,然后克隆生成脚本,并将其设置为在 PowerShell 中本地运行。To create demo certificates on a Windows device, you need to install OpenSSL and then clone the generation scripts and set them up to run locally in PowerShell.

安装 OpenSSLInstall OpenSSL

在用于生成证书的计算机上安装 OpenSSL for Windows。Install OpenSSL for Windows on the machine that you're using to generate the certificates. 如果已在 Windows 设备上安装 OpenSSL,则可以跳过此步骤,但请确保 PATH 环境变量中包含 openssl.exe。If you already have OpenSSL installed on your Windows device, you may skip this step, but ensure that openssl.exe is available in your PATH environment variable.

可通过多种方式安装 OpenSSL,包括以下选项:There are several ways to install OpenSSL, including the following options:

  • 更轻松: 下载并安装任何第三方 OpenSSL 二进制文件,例如从 SourceForge 上的 OpenSSL 下载并安装。Easier: Download and install any third-party OpenSSL binaries, for example, from OpenSSL on SourceForge. 将 openssl.exe 的完整路径添加到 PATH 环境变量。Add the full path to openssl.exe to your PATH environment variable.

  • 推荐: 在计算机上下载 OpenSSL 源代码并自行生成二进制文件,或者通过 vcpkg 生成。Recommended: Download the OpenSSL source code and build the binaries on your machine by yourself or via vcpkg. 下面列出的说明使用 vcpkg 下载源代码,并在 Windows 计算机上编译和安装 OpenSSL,所用的步骤都很简单。The instructions listed below use vcpkg to download source code, compile, and install OpenSSL on your Windows machine with easy steps.

    1. 导航到要安装 vcpkg 的目录。Navigate to a directory where you want to install vcpkg. 按照说明下载并安装 vcpkgFollow the instructions to download and install vcpkg.

    2. 安装 vcpkg 后,在 PowerShell 提示符下运行以下命令以安装适用于 Windows x64 的 OpenSSL 包。Once vcpkg is installed, run the following command from a PowerShell prompt to install the OpenSSL package for Windows x64. 此安装通常需要大约 5 分钟才能完成。The installation typically takes about 5 minutes to complete.

      .\vcpkg install openssl:x64-windows

    3. <vcpkg path>\installed\x64-windows\tools\openssl 添加到 PATH 环境变量,以便可以调用 openssl.exe 文件。Add <vcpkg path>\installed\x64-windows\tools\openssl to your PATH environment variable so that the openssl.exe file is available for invocation.

在 PowerShell 中准备脚本Prepare scripts in PowerShell

Azure IoT Edge Git 存储库包含可用于生成测试证书的脚本。The Azure IoT Edge git repository contains scripts that you can use to generate test certificates. 在本部分,你将克隆 IoT Edge 存储库并执行脚本。In this section, you clone the IoT Edge repo and execute the scripts.

  1. 在管理员模式下打开 PowerShell 窗口。Open a PowerShell window in administrator mode.

  2. 克隆 IoT Edge Git 存储库,其中包含用于生成演示证书的脚本。Clone the IoT Edge git repo, which contains scripts to generate demo certificates. 使用 git clone 命令或下载 ZIPUse the git clone command or download the ZIP.

    git clone https://github.com/Azure/iotedge.git

  3. 导航到要在其中工作的目录。Navigate to the directory in which you want to work. 整篇文章将此目录称为 <WRKDIR>。Throughout this article, we'll call this directory <WRKDIR>. 所有证书和密钥将此工作目录中创建。All certificates and keys will be created in this working directory.

  4. 将克隆的存储库中的配置文件和脚本文件复制到该工作目录。Copy the configuration and script files from the cloned repo into your working directory.

    copy <path>\iotedge\tools\CACertificates\*.cnf .
copy <path>\iotedge\tools\CACertificates\ca-certs.ps1 .

    如果下载了 ZIP 格式的存储库,则文件夹名称为 iotedge-master,路径的剩余部分相同。If you downloaded the repo as a ZIP, then the folder name is iotedge-master and the rest of the path is the same.

  5. 启用 PowerShell 以运行脚本。Enable PowerShell to run the scripts.

    Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

  6. 将脚本使用的函数放入 PowerShell 全局命名空间中。Bring the functions used by the scripts into PowerShell's global namespace.

    . .\ca-certs.ps1

    PowerShell 窗口中会显示一条警告,指出此脚本生成的证书仅用于测试目的,不应在生产方案中使用。The PowerShell window will display a warning that the certificates generated by this script are only for testing purposes, and should not be used in production scenarios.

  7. 验证 OpenSSL 是否已正确安装,并确保现有的证书不会发生名称冲突。Verify that OpenSSL has been installed correctly and make sure that there won't be name collisions with existing certificates. 如果出现问题,脚本输出应会说明如何在系统上修复这些问题。If there are problems, the script output should describe how to fix them on your system.

    Test-CACertsPrerequisites

在 Linux 上进行设置Set up on Linux

若要在 Windows 设备上创建演示证书,需要克隆生成脚本,并将其设置为在 bash 中本地运行。To create demo certificates on a Windows device, you need clone the generation scripts and set them up to run locally in bash.

  1. 克隆 IoT Edge Git 存储库,其中包含用于生成演示证书的脚本。Clone the IoT Edge git repo, which contains scripts to generate demo certificates.

    git clone https://github.com/Azure/iotedge.git

  2. 导航到要在其中工作的目录。Navigate to the directory in which you want to work. 在整篇文章中,此目录称为 <WRKDIR>。We'll refer to this directory throughout the article as <WRKDIR>. 所有证书和密钥文件都将在此目录中创建。All certificate and key files will be created in this directory.

  3. 将克隆的 IoT Edge 存储库中的配置文件和脚本文件复制到该工作目录。Copy the config and script files from the cloned IoT Edge repo into your working directory.

    cp <path>/iotedge/tools/CACertificates/*.cnf .
cp <path>/iotedge/tools/CACertificates/certGen.sh .

创建根 CA 证书Create root CA certificate

根 CA 证书用于生成所有其他演示证书来测试 IoT Edge 方案。The root CA certificate is used to make all the other demo certificates for testing an IoT Edge scenario. 可以保持使用同一个根 CA 证书来为多个 IoT Edge 设备或下游设备生成演示证书。You can keep using the same root CA certificate to make demo certificates for multiple IoT Edge or downstream devices.

如果工作文件夹中已包含一个根 CA 证书,请不要创建新的根 CA 证书。If you already have one root CA certificate in your working folder, don't create a new one. 新根 CA 证书将覆盖旧证书,基于旧证书生成的任何下游证书将停止工作。The new root CA certificate will overwrite the old, and any downstream certificates made from the old one will stop working. 如果需要多个根 CA 证书,请务必在单独的文件夹中管理这些证书。If you want multiple root CA certificates, be sure to manage them in separate folders.

在继续执行本部分所述的步骤之前,请遵循设置脚本部分中的步骤使用演示证书生成脚本准备好工作目录。Before proceeding with the steps in this section, follow the steps in the Set up scripts section to prepare a working directory with the demo certificate generation scripts.

WindowsWindows

  1. 导航到在其中放置了证书生成脚本的工作目录。Navigate to the working directory where you placed the certificate generation scripts.

  2. 创建根 CA 证书,并使用它来签署一个中间证书。Create the root CA certificate and have it sign one intermediate certificate. 证书全部放在工作目录中。The certificates are all placed in your working directory.

    New-CACertsCertChain rsa

    此脚本命令将创建多个证书和密钥文件,但当文章中提到根 CA 证书时,请使用以下文件:This script command creates several certificate and key files, but when articles ask for the root CA certificate, use the following file:

    • <WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem

LinuxLinux

  1. 导航到在其中放置了证书生成脚本的工作目录。Navigate to the working directory where you placed the certificate generation scripts.

  2. 创建根 CA 证书和一个中间证书。Create the root CA certificate and one intermediate certificate.

    ./certGen.sh create_root_and_intermediate

    此脚本命令将创建多个证书和密钥文件,但当文章中提到根 CA 证书时,请使用以下文件:This script command creates several certificate and key files, but when articles ask for the root CA certificate, use the following file:

    • <WRKDIR>/certs/azure-iot-test-only.root.ca.cert.pem

创建 IoT Edge 设备标识证书Create IoT Edge device identity certificates

设备标识证书用于通过 Azure IoT 中心设备预配服务 (DPS) 来预配 IoT Edge 设备。Device identity certificates are used to provision IoT Edge devices through the Azure IoT Hub Device Provisioning Service (DPS).

设备标识证书位于 IoT Edge 设备上的 config.yaml 文件的 Provisioning 节。Device identity certificates go in the Provisioning section of the config.yaml file on the IoT Edge device.

在继续执行本部分所述的步骤之前,请执行设置脚本创建根 CA 证书部分所述的步骤。Before proceeding with the steps in this section, follow the steps in the Set up scripts and Create root CA certificate sections.

WindowsWindows

使用以下命令创建 IoT Edge 设备标识证书和私钥:Create the IoT Edge device identity certificate and private key with the following command:

New-CACertsEdgeDeviceIdentity "<name>"

传递给此命令的名称将是 IoT 中心的 IoT Edge 设备的设备 ID。The name that you pass in to this command will be the device ID for the IoT Edge device in IoT Hub.

新的设备标识命令会创建多个证书和密钥文件,其中包括在 DPS 中创建单个注册以及安装 IoT Edge 运行时时会使用的三个证书和密钥文件:The new device identity command creates several certificate and key files, including three that you'll use when creating an individual enrollment in DPS and installing the IoT Edge runtime:

  • <WRKDIR>\certs\iot-edge-device-identity-<name>-full-chain.cert.pem
  • <WRKDIR>\certs\iot-edge-device-identity-<name>.cert.pem
  • <WRKDIR>\private\iot-edge-device-identity-<name>.key.pem

LinuxLinux

使用以下命令创建 IoT Edge 设备标识证书和私钥:Create the IoT Edge device identity certificate and private key with the following command:

./certGen.sh create_edge_device_identity_certificate "<name>"

传递给此命令的名称将是 IoT 中心的 IoT Edge 设备的设备 ID。The name that you pass in to this command will be the device ID for the IoT Edge device in IoT Hub.

此脚本会创建多个证书和密钥文件,其中包括在 DPS 中创建单个注册以及安装 IoT Edge 运行时时会使用的三个证书和密钥文件:The script creates several certificate and key files, including three that you'll use when creating an individual enrollment in DPS and installing the IoT Edge runtime:

  • <WRKDIR>\certs\iot-edge-device-identity-<name>-full-chain.cert.pem
  • <WRKDIR>/certs/iot-edge-device-identity-<name>.cert.pem
  • <WRKDIR>/private/iot-edge-device-identity-<name>.key.pem

创建 IoT Edge 设备 CA 证书Create IoT Edge device CA certificates

投放到生产环境的每个 IoT Edge 设备都需要一个从 config.yaml 文件引用的设备 CA 证书。Every IoT Edge device going to production needs a device CA certificate that's referenced from the config.yaml file. 设备 CA 证书负责为设备上运行的模块创建证书。The device CA certificate is responsible for creating certificates for modules running on the device. 它对于网关方案也是必需的,因为设备 CA 证书是 IoT Edge 设备向下游设备验证其身份的方式。It's also necessary for gateway scenarios, because the device CA certificate is how the IoT Edge device verifies its identity to downstream devices.

设备 CA 证书位于 IoT Edge 设备上的 config.yaml 文件的 Certificate 节。Device CA certificates go in the Certificate section of the config.yaml file on the IoT Edge device.

在继续执行本部分所述的步骤之前,请执行设置脚本创建根 CA 证书部分所述的步骤。Before proceeding with the steps in this section, follow the steps in the Set up scripts and Create root CA certificate sections.

WindowsWindows

  1. 导航到包含证书生成脚本和根 CA 证书的工作目录。Navigate to the working directory that has the certificate generation scripts and root CA certificate.

  2. 使用以下命令创建 IoT Edge 设备 CA 证书和私钥。Create the IoT Edge device CA certificate and private key with the following command. 请提供 CA 证书的名称。Provide a name for the CA certificate.

    New-CACertsEdgeDevice "<CA cert name>"

    此命令将创建多个证书和密钥文件。This command creates several certificate and key files. 以下证书和密钥对需要复制到 IoT Edge 设备,并在 config.yaml 文件中引用:The following certificate and key pair needs to be copied over to an IoT Edge device and referenced in the config.yaml file:

    • <WRKDIR>\certs\iot-edge-device-<CA cert name>-full-chain.cert.pem
    • <WRKDIR>\private\iot-edge-device-<CA cert name>.key.pem

传递给 New-CACertsEdgeDevice 命令的名称不应与 config.yaml 中的 hostname 参数或 IoT 中心的设备 ID 相同。The name passed to the New-CACertsEdgeDevice command should not be the same as the hostname parameter in config.yaml, or the device's ID in IoT Hub. 脚本将“.ca”字符串追加到证书名称以防止用户在两个位置使用相同的名称来设置 IoT Edge 时出现名称冲突,从而避免产生任何问题。The script helps you avoid any issues by appending a ".ca" string to the certificate name to prevent the name collision in case a user sets up IoT Edge using the same name in both places. 但是,最好避免使用相同的名称However, it's good practice to avoid using the same name.

LinuxLinux

  1. 导航到包含证书生成脚本和根 CA 证书的工作目录。Navigate to the working directory that has the certificate generation scripts and root CA certificate.

  2. 使用以下命令创建 IoT Edge 设备 CA 证书和私钥。Create the IoT Edge device CA certificate and private key with the following command. 请提供 CA 证书的名称。Provide a name for the CA certificate.

    ./certGen.sh create_edge_device_certificate "<CA cert name>"

    此脚本命令将创建多个证书和密钥文件。This script command creates several certificate and key files. 以下证书和密钥对需要复制到 IoT Edge 设备,并在 config.yaml 文件中引用:The following certificate and key pair needs to be copied over to an IoT Edge device and referenced in the config.yaml file:

    • <WRKDIR>/certs/iot-edge-device-<CA cert name>-full-chain.cert.pem
    • <WRKDIR>/private/iot-edge-device-<CA cert name>.key.pem

传递给 create_edge_device_certificate 命令的名称不应与 config.yaml 中的 hostname 参数或 IoT 中心的设备 ID 相同。The name passed to the create_edge_device_certificate command should not be the same as the hostname parameter in config.yaml, or the device's ID in IoT Hub. 脚本将“.ca”字符串追加到证书名称以防止用户在两个位置使用相同的名称来设置 IoT Edge 时出现名称冲突,从而避免产生任何问题。The script helps you avoid any issues by appending a ".ca" string to the certificate name to prevent the name collision in case a user sets up IoT Edge using the same name in both places. 但是,最好避免使用相同的名称However, it's good practice to avoid using the same name.

创建下游设备证书Create downstream device certificates

如果要为网关方案设置下游 IoT 设备并希望使用 X.509 身份验证,则可为下游设备生成演示证书。If you're setting up a downstream IoT device for a gateway scenario and want to use X.509 authentication, you can generate demo certificates for the downstream device. 如果要使用对称密钥身份验证,则无需为下游设备创建其他证书。If you want to use symmetric key authentication, you don't need to create additional certificates for the downstream device. 可通过两种方式使用 X.509 证书对 IoT 设备进行身份验证:使用自签名证书,或使用证书颁发机构 (CA) 签名的证书。There are two ways to authenticate an IoT device using X.509 certificates: using self-signed certs or using certificate authority (CA) signed certs. 对于 X.509 自签名身份验证(有时称为指纹身份验证),需要创建新证书并将其放在 IoT 设备上。For X.509 self-signed authentication, sometimes referred to as thumbprint authentication, you need to create new certificates to place on your IoT device. 这些证书包含一个指纹,你可以与 IoT 中心共享该指纹以完成身份验证。These certificates have a thumbprint in them that you share with IoT Hub for authentication. 对于 X.509 证书颁发机构 (CA) 签名的身份验证,需要在 IoT 中心注册一个用来为 IoT 设备证书签名的根 CA 证书。For X.509 certificate authority (CA) signed authentication, you need a root CA certificate registered in IoT Hub that you use to sign certificates for your IoT device. 使用根 CA 证书或其任何中间证书颁发的证书的任何设备都可进行身份验证。Any device using a certificate that was issued by the root CA certificate or any of its intermediate certificates will be permitted to authenticate.

证书生成脚本可帮助你生成演示证书,以测试上述任一身份验证方案。The certificate generation scripts can help you make demo certificates to test out either of these authentication scenarios.

在继续执行本部分所述的步骤之前,请执行设置脚本创建根 CA 证书部分所述的步骤。Before proceeding with the steps in this section, follow the steps in the Set up scripts and Create root CA certificate sections.

自签名证书Self-signed certificates

使用自签名证书对 IoT 设备进行身份验证时,需要基于解决方案的根 CA 证书创建设备证书。When you authenticate an IoT device with self-signed certificates, you need to create device certificates based on the root CA certificate for your solution. 然后,从要提供给 IoT 中心的证书中检索十六进制“指纹”。Then, you retrieve a hexadecimal "fingerprint" from the certificates to provide to IoT Hub. IoT 设备还需要其设备证书的副本,以便可以在 IoT 中心进行身份验证。Your IoT device also needs a copy of its device certificates so that it can authenticate with IoT Hub.

WindowsWindows

  1. 导航到包含证书生成脚本和根 CA 证书的工作目录。Navigate to the working directory that has the certificate generation scripts and root CA certificate.

  2. 为下游设备创建两个证书(主要和辅助)。Create two certificates (primary and secondary) for the downstream device. 要使用的简易命名约定是依次使用 IoT 设备的名称以及主要标签或辅助标签创建证书。An easy naming convention to use is to create the certificates with the name of the IoT device and then the primary or secondary label. 例如:For example:

    New-CACertsDevice "<device name>-primary"
New-CACertsDevice "<device name>-secondary"

    此脚本命令将创建多个证书和密钥文件。This script command creates several certificate and key files. 以下证书和密钥对需要复制到下游 IoT 设备,并在连接到 IoT 中心的应用程序中引用:The following certificate and key pairs needs to be copied over to the downstream IoT device and referenced in the applications that connect to IoT Hub:

    • <WRKDIR>\certs\iot-device-<device name>-primary-full-chain.cert.pem
    • <WRKDIR>\certs\iot-device-<device name>-secondary-full-chain.cert.pem
    • <WRKDIR>\certs\iot-device-<device name>-primary.cert.pem
    • <WRKDIR>\certs\iot-device-<device name>-secondary.cert.pem
    • <WRKDIR>\certs\iot-device-<device name>-primary.cert.pfx
    • <WRKDIR>\certs\iot-device-<device name>-secondary.cert.pfx
    • <WRKDIR>\private\iot-device-<device name>-primary.key.pem
    • <WRKDIR>\private\iot-device-<device name>-secondary.key.pem

  3. 从每个证书中检索 SHA1 指纹(在 IoT 中心上下文中称为“指纹”)。Retrieve the SHA1 fingerprint (called a thumbprint in IoT Hub contexts) from each certificate. 指纹是由 40 个十六进制字符组成的字符串。The fingerprint is a 40 hexadecimal character string. 使用以下 openssl 命令查看证书并查找指纹:Use the following openssl command to view the certificate and find the fingerprint:

    openssl x509 -in <WRKDIR>\certs\iot-device-<device name>-primary.cert.pem -text -fingerprint

    运行此命令两次,一次针对主要证书,另一次针对辅助证书。Run this command twice, once for the primary certificate and once for the secondary certificate. 使用自签名的 X.509 证书注册新 IoT 设备时,为这两个证书提供指纹。You provide fingerprints for both certificates when you register a new IoT device using self-signed X.509 certificates.

LinuxLinux

  1. 导航到包含证书生成脚本和根 CA 证书的工作目录。Navigate to the working directory that has the certificate generation scripts and root CA certificate.

  2. 为下游设备创建两个证书(主要和辅助)。Create two certificates (primary and secondary) for the downstream device. 要使用的简易命名约定是依次使用 IoT 设备的名称以及主要标签或辅助标签创建证书。An easy naming convention to use is to create the certificates with the name of the IoT device and then the primary or secondary label. 例如:For example:

    ./certGen.sh create_device_certificate "<device name>-primary"
./certGen.sh create_device_certificate "<device name>-secondary"

    此脚本命令将创建多个证书和密钥文件。This script command creates several certificate and key files. 以下证书和密钥对需要复制到下游 IoT 设备,并在连接到 IoT 中心的应用程序中引用:The following certificate and key pairs needs to be copied over to the downstream IoT device and referenced in the applications that connect to IoT Hub:

    • <WRKDIR>/certs/iot-device-<device name>-primary-full-chain.cert.pem
    • <WRKDIR>/certs/iot-device-<device name>-secondary-full-chain.cert.pem
    • <WRKDIR>/certs/iot-device-<device name>-primary.cert.pem
    • <WRKDIR>/certs/iot-device-<device name>-secondary.cert.pem
    • <WRKDIR>/certs/iot-device-<device name>-primary.cert.pfx
    • <WRKDIR>/certs/iot-device-<device name>-secondary.cert.pfx
    • <WRKDIR>/private/iot-device-<device name>-primary.key.pem
    • <WRKDIR>/private/iot-device-<device name>-secondary.key.pem

  3. 从每个证书中检索 SHA1 指纹(在 IoT 中心上下文中称为“指纹”)。Retrieve the SHA1 fingerprint (called a thumbprint in IoT Hub contexts) from each certificate. 指纹是由 40 个十六进制字符组成的字符串。The fingerprint is a 40 hexadecimal character string. 使用以下 openssl 命令查看证书并查找指纹:Use the following openssl command to view the certificate and find the fingerprint:

    openssl x509 -in <WRKDIR>/certs/iot-device-<device name>-primary.cert.pem -text -fingerprint | sed 's/[:]//g'

    使用自签名的 X.509 证书注册新 IoT 设备时,请提供主要指纹和辅助指纹。You provide both the primary and secondary fingerprint when you register a new IoT device using self-signed X.509 certificates.

CA 签名的证书CA-signed certificates

使用自签名证书对 IoT 设备进行身份验证时,需将解决方案的根 CA 证书上传到 IoT 中心。When you authenticate an IoT device with self-signed certificates, you need to upload the root CA certificate for your solution to IoT Hub. 然后执行验证,以向 IoT 中心证明你拥有该根 CA 证书。Then, you perform a verification to prove to IoT Hub that you own the root CA certificate. 最后,使用同一个根 CA 证书创建要放在 IoT 设备上的设备证书,使设备能够在 IoT 中心进行身份验证。Finally, you use the same root CA certificate to create device certificates to put on your IoT device so that it can authenticate with IoT Hub.

本部分中的证书用于在 Azure IoT 中心设置 X.509 安全性中的步骤。The certificates in this section are for the steps in Set up X.509 security in your Azure IoT hub.

WindowsWindows

  1. 将根 CA 证书文件从工作目录 <WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem 上传到 IoT 中心。Upload the root CA certificate file from your working directory, <WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem, to your IoT hub.

  2. 使用 Azure 门户中提供的代码验证你是否拥有该根 CA 证书。Use the code provided in the Azure portal to verify that you own that root CA certificate.

    New-CACertsVerificationCert "<verification code>"

  3. 创建下游设备的证书链。Create a certificate chain for your downstream device. 使用 IoT 中心内用于注册设备的设备 ID。Use the same device ID that the device is registered with in IoT Hub.

    New-CACertsDevice "<device id>"

    此脚本命令将创建多个证书和密钥文件。This script command creates several certificate and key files. 以下证书和密钥对需要复制到下游 IoT 设备,并在连接到 IoT 中心的应用程序中引用:The following certificate and key pairs needs to be copied over to the downstream IoT device and referenced in the applications that connect to IoT Hub:

    • <WRKDIR>\certs\iot-device-<device id>.cert.pem
    • <WRKDIR>\certs\iot-device-<device id>.cert.pfx
    • <WRKDIR>\certs\iot-device-<device id>-full-chain.cert.pem
    • <WRKDIR>\private\iot-device-<device id>.key.pem

LinuxLinux

  1. 将根 CA 证书文件从工作目录 <WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem 上传到 IoT 中心。Upload the root CA certificate file from your working directory, <WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem, to your IoT hub.

  2. 使用 Azure 门户中提供的代码验证你是否拥有该根 CA 证书。Use the code provided in the Azure portal to verify that you own that root CA certificate.

    ./certGen.sh create_verification_certificate "<verification code>"

  3. 创建下游设备的证书链。Create a certificate chain for your downstream device. 使用 IoT 中心内用于注册设备的设备 ID。Use the same device ID that the device is registered with in IoT Hub.

    ./certGen.sh create_device_certificate "<device id>"

    此脚本命令将创建多个证书和密钥文件。This script command creates several certificate and key files. 以下证书和密钥对需要复制到下游 IoT 设备,并在连接到 IoT 中心的应用程序中引用:The following certificate and key pairs needs to be copied over to the downstream IoT device and referenced in the applications that connect to IoT Hub:

    • <WRKDIR>/certs/iot-device-<device id>.cert.pem
    • <WRKDIR>/certs/iot-device-<device id>.cert.pfx
    • <WRKDIR>/certs/iot-device-<device id>-full-chain.cert.pem
    • <WRKDIR>/private/iot-device-<device id>.key.pem