了解 Azure IoT Edge 使用证书的方式Understand how Azure IoT Edge uses certificates

IoT Edge 证书由模块和下游 IoT 设备用来验证 IoT Edge 中心运行时模块的身份和合法性。IoT Edge certificates are used by the modules and downstream IoT devices to verify the identity and legitimacy of the IoT Edge hub runtime module. 这些验证可实现运行时、模块和 IoT 设备之间的 TLS(传输层安全性)安全连接。These verifications enable a TLS (transport layer security) secure connection between the runtime, the modules, and the IoT devices. 与 IoT 中心本身一样,IoT Edge 需要来自 IoT 下游(或叶)设备和 IoT Edge 模块的安全加密连接。Like IoT Hub itself, IoT Edge requires a secure and encrypted connection from IoT downstream (or leaf) devices and IoT Edge modules. 为了建立安全的 TLS 连接,IoT Edge 中心模块为连接客户端提供服务器证书链,以便它们验证其身份。To establish a secure TLS connection, the IoT Edge hub module presents a server certificate chain to connecting clients in order for them to verify its identity.

备注

本文讨论了用于保护 IoT Edge 设备上不同组件之间的连接或 IoT Edge 设备与任何叶设备之间的连接的证书。This article talks about the certificates that are used to secure connections between the different components on an IoT Edge device or between an IoT Edge device and any leaf devices. 还可以使用一些证书向 IoT 中心验证 IoT Edge 设备。You may also use certificates to authenticate your IoT Edge device to IoT Hub. 这些身份验证证书是不同的,本文不对其进行讨论。Those authentication certificates are different, and are not discussed in this article. 有关使用证书对设备进行身份验证的详细信息,请参阅使用 X.509 证书创建和预配 IoT Edge 设备For more information about authenticating your device with certificates, see Create and provision an IoT Edge device using X.509 certificates.

本文介绍了 IoT Edge 证书如何在生产、开发和测试方案中工作。This article explains how IoT Edge certificates can work in production, development, and test scenarios. 虽然脚本不同(Powershell 与 bash),但 Linux 和 Windows 之间的概念是相同的。While the scripts are different (Powershell vs. bash), the concepts are the same between Linux and Windows.

IoT Edge 证书IoT Edge certificates

在 IoT Edge 设备上设置证书存在两种常见方案。There are two common scenarios for setting up certificates on an IoT Edge device. 有时,设备的最终用户(操作员)购买制造商制造的通用设备,然后自行管理证书。Sometimes the end user, or operator, of a device purchases a generic device made by a manufacturer then manages the certificates themselves. 除了上述情况,制造商通常会根据合同为操作员构建自定义设备,并在交付设备之前执行一些初始证书签名。Other times, the manufacturer works under contract to build a custom device for the operator and does some initial certificate signing before handing off the device. IoT Edge 证书设计尝试考虑这两种情况。The IoT Edge certificate design attempts to take both scenarios into account.

下图说明了 IoT Edge 证书使用情况。The following figure illustrates IoT Edge's usage of certificates. 根 CA 证书和设备 CA 证书之间可能存在零个、一个或多个中间签名证书,具体取决于所涉及的实体数量。There may be zero, one, or many intermediate signing certificates between the root CA certificate and the device CA certificate, depending on the number of entities involved. 下面介绍一个用例。Here we show one case.

典型证书关系图

备注

目前存在一个 libiothsm 限制,会阻止使用在 2038 年 1 月 1 日或之后到期的证书。Currently, a limitation in libiothsm prevents the use of certificates that expire on or after January 1, 2038. 此限制适用于设备 CA 证书、信任捆绑包中的任何证书和用于 X.509 预配方法的设备 ID 证书。This limitation applies to the device CA certificate, any certificates in the trust bundle, and the device ID certificates used for X.509 provisioning methods.

证书颁发机构Certificate authority

证书颁发机构(简称“CA”)是颁发数字证书的实体。The certificate authority, or 'CA' for short, is an entity that issues digital certificates. 证书颁发机构充当所有者和证书接收者之间的可信第三方。A certificate authority acts as a trusted third party between the owner and the receiver of the certificate. 数字证书可认证证书接收者对公钥的所有权。A digital certificate certifies the ownership of a public key by the receiver of the certificate. 使用证书信任链的方式是先颁发根证书,这是信任机构颁发的所有证书的基础。The certificate chain of trust works by initially issuing a root certificate, which is the basis for trust in all certificates issued by the authority. 之后,所有者可使用根证书颁发其他中间证书(“叶”证书)。Afterwards, the owner can use the root certificate to issue additional intermediate certificates ('leaf' certificates).

根 CA 证书Root CA certificate

根 CA 证书是整个过程的信任根。A root CA certificate is the root of trust of the entire process. 在生产方案中,此 CA 证书通常从受信任的商业证书颁发机构(如 Baltimore、Verisign 或 DigiCert)购买。In production scenarios, this CA certificate is usually purchased from a trusted commercial certificate authority like Baltimore, Verisign, or DigiCert. 如果可完全控制连接到 IoT Edge 设备的设备,即可使用公司级证书颁发机构。Should you have complete control over the devices connecting to your IoT Edge devices, it's possible to use a corporate level certificate authority. 不管什么情况,IoT Edge 中心的整个证书链都会将信息汇总到其中,因此叶 IoT 设备必须信任根证书。In either event, the entire certificate chain from the IoT Edge hub up rolls to it, so the leaf IoT devices must trust the root certificate. 可将根 CA 证书存储在受信任的根证书颁发机构存储中,也可以在应用程序代码中提供证书详细信息。You can store the root CA certificate either in the trusted root certificate authority store, or provide the certificate details in your application code.

中间证书Intermediate certificates

在创建安全设备的典型制造过程中,很少直接使用根 CA 证书,这主要是因为存在泄漏或暴露的风险。In a typical manufacturing process for creating secure devices, root CA certificates are rarely used directly, primarily because of the risk of leakage or exposure. 根 CA 证书创建并对一个或多个中间 CA 证书进行数字签名。The root CA certificate creates and digitally signs one or more intermediate CA certificates. 可能只有一个中间证书,也可能存在中间证书链。There may be only one, or there may be a chain of these intermediate certificates. 需要中间证书链的情景包括:Scenarios that would require a chain of intermediate certificates include:

  • 制造商各部门的层次结构。A hierarchy of departments within a manufacturer.

  • 多家公司连续参与生产设备。Multiple companies involved serially in the production of a device.

  • 客户购买根 CA 并派生签名证书,以便制造商代表该客户对制造的设备签名。A customer buying a root CA and deriving a signing certificate for the manufacturer to sign the devices they make on that customer's behalf.

在任何情况下,制造商都使用此链末尾的中间 CA 证书来对终端设备上的设备 CA 证书进行签名。In any case, the manufacturer uses an intermediate CA certificate at the end of this chain to sign the device CA certificate placed on the end device. 一般情况下,这些中间证书受到制造厂商的严密保护。Generally, these intermediate certificates are closely guarded at the manufacturing plant. 这些证书的使用需要遵循严格的物理和电子流程。They undergo strict processes, both physical and electronic for their usage.

设备 CA 证书Device CA certificate

设备 CA 证书由流程中的最终中间 CA 证书生成并签名。The device CA certificate is generated from and signed by the final intermediate CA certificate in the process. 此证书安装在 IoT Edge 设备上,最好安装在硬件安全模块 (HSM) 的安全存储中。This certificate is installed on the IoT Edge device itself, preferably in secure storage such as a hardware security module (HSM). 此外,设备 CA 证书可唯一标识 IoT Edge 设备。In addition, a device CA certificate uniquely identifies an IoT Edge device. 设备 CA 证书可以为其他证书签名。The device CA certificate can sign other certificates.

IoT Edge 工作负载 CAIoT Edge Workload CA

IoT Edge 首次启动时,IoT Edge 安全管理器会生成工作负载 CA 证书,这是流程“操作员”端的第一个证书。The IoT Edge Security Manager generates the workload CA certificate, the first on the "operator" side of the process, when IoT Edge first starts. 此证书由“设备 CA 证书”生成并签名。This certificate is generated from and signed by the device CA certificate. 此证书只是另一个中间签名证书,用于生成 IoT Edge 运行时使用的任何其他证书并对其签名。This certificate, which is just another intermediate signing certificate, is used to generate and sign any other certificates used by the IoT Edge runtime. 今天,下一节主要讨论 IoT Edge 中心服务器证书,但将来可能涵盖用于对 IoT Edge 组件进行身份验证的其他证书。Today, that is primarily the IoT Edge hub server certificate discussed in the following section, but in the future may include other certificates for authenticating IoT Edge components.

IoT Edge 中心服务器证书IoT Edge hub server certificate

IoT Edge 中心服务器证书是向设备和模块提供的实际证书,用于在建立 IoT Edge 所需的 TLS 连接期间进行身份验证。The IoT Edge hub server certificate is the actual certificate presented to leaf devices and modules for identity verification during establishment of the TLS connection required by IoT Edge. 此证书提供完整的签名证书链,用于将其生成到叶 IoT 设备必须信任的根 CA 证书。This certificate presents the full chain of signing certificates used to generate it up to the root CA certificate, which the leaf IoT device must trust. 由 IoT Edge 安全管理器生成时,此 IoT Edge 中心证书的公用名 (CN) 在转换为小写后将设置为 config.yaml 文件中的“hostname”属性。When generated by the IoT Edge Security Manager, the common name (CN), of this IoT Edge hub certificate is set to the 'hostname' property in the config.yaml file after conversion to lower case. 此配置是与 IoT Edge 混淆的常见根源。This configuration is a common source of confusion with IoT Edge.

生产影响Production implications

一个合理的问题可能是“为什么 IoT Edge 需要‘工作负载 CA’额外的证书?A reasonable question might be "why does IoT Edge need the 'workload CA' extra certificate? 它无法使用设备 CA 证书直接生成 IoT Edge 中心服务器证书吗?”。Couldn't it use the device CA certificate to directly generate the IoT Edge hub server certificate?". 从技术上讲,它可以。Technically, it could. 但是,此“工作负载”中间证书的目的是分离设备制造商和设备操作员之间的关注点。However, the purpose of this "workload" intermediate certificate is to separate concerns between the device manufacturer and the device operator. 想象一个场景,销售 IoT Edge 设备或将其从一个客户或转移给另一个客户。Imagine a scenario where an IoT Edge device is sold or transferred from one customer to another. 你可能希望制造商提供的设备 CA 证书是不可变的。You would likely want the device CA certificate provided by the manufacturer to be immutable. 但是,应该擦除并重新创建特定于设备操作的“工作负载”证书以用于新部署。However, the "workload" certificates specific to operation of the device should be wiped and recreated for the new deployment.

由于生产和操作过程是分开的,因此在准备生产设备时请考虑以下含义:Because manufacturing and operation processes are separated, consider the following implications when preparing production devices:

  • 对于任何基于证书的流程,在推出 IoT Edge 设备的整个过程中,应保护和监视根 CA 证书和所有中间 CA 证书。With any certificate-based process, the root CA certificate and all intermediate CA certificates should be secured and monitored during the entire process of rolling out an IoT Edge device. IoT Edge 设备制造商应制定可靠的流程来正确存储和使用其中间证书。The IoT Edge device manufacturer should have strong processes in place for proper storage and usage of their intermediate certificates. 此外,设备 CA 证书应存储在设备上尽可能安全的存储中,最好是硬件安全模块。In addition, the device CA certificate should be kept in as secure storage as possible on the device itself, preferably a hardware security module.

  • IoT Edge 中心服务器证书由 IoT Edge 中心提供给连接的客户端设备和模块。The IoT Edge hub server certificate is presented by IoT Edge hub to the connecting client devices and modules. 设备 CA 证书的公用名 (CN) 不得与将在 IoT Edge 设备上 config.yaml 中使用的“主机名”相同。The common name (CN) of the device CA certificate must not be the same as the "hostname" that will be used in config.yaml on the IoT Edge device. 客户端用于连接到 IoT Edge 的名称(例如,通过连接字符串的 GatewayHostName 参数或 MQTT 中的 CONNECT 命令使用的名称)“不得”与设备 CA 证书中使用的公用名相同。The name used by clients to connect to IoT Edge (for example, via the GatewayHostName parameter of the connection string or the CONNECT command in MQTT) can't be the same as the common name used in the device CA certificate. 此限制是因为 IoT Edge 中心提供其整个证书链以供客户端验证。This restriction is because the IoT Edge hub presents its entire certificate chain for verification by clients. 若 IoT Edge 中心服务器证书和设备 CA 证书具有相同的 CN,则会进入验证循环,证书将失效。If the IoT Edge hub server certificate and the device CA certificate both have the same CN, you get in a verification loop and the certificate invalidates.

  • 由于 IoT Edge 安全守护程序使用设备 CA 证书生成最终的 IoT Edge 证书,因此它本身必须是签名证书,这意味着它具有证书签名功能。Because the device CA certificate is used by the IoT Edge security daemon to generate the final IoT Edge certificates, it must itself be a signing certificate, meaning it has certificate signing capabilities. 将“V3 基本约束 CA:True”应用于设备 CA 证书可自动设置所需的密钥用法属性。Applying "V3 Basic constraints CA:True" to the device CA certificate automatically sets up the required key usage properties.

提示

若已使用我们的“便利脚本”(参阅下一节)在开发/测试方案中将 IoT Edge 设置为透明网关,并在创建设备 CA 证书时使用与 config.yaml 中的主机名相同的主机名,你可能想知道它的工作原理。If you've already gone through the setup of IoT Edge as a transparent gateway in a dev/test scenario using our "convenience scripts" (see next section) and used the same host name when creating the device CA certificate as you did for the hostname in config.yaml, you might be wondering why it worked. 为了简化开发人员体验,便利脚本在传递给脚本的名称末尾追加“.ca”。In an effort to simplify the developer experience, the convenience scripts appends a ".ca" on the end of the name you pass into the script. 因此,若使用“mygateway”作为脚本中的设备名称和 config.yaml 中的主机名,则在用作设备 CA 证书的 CN 之前,前者将转换为 mygateway.ca。So, for example, if you used "mygateway" for both your device name in the scripts and hostname in config.yaml, the former will be turned into mygateway.ca before being used as the CN for the device CA cert.

开发/测试影响Dev/Test implications

为简化开发和测试方案,Microsoft 提供了一组便利脚本,用于在透明网关方案中生成适用于 IoT Edge 的非生产证书。To ease development and test scenarios, Microsoft provides a set of convenience scripts for generating non-production certificates suitable for IoT Edge in the transparent gateway scenario. 有关脚本工作方式的示例,请参阅创建演示证书以测试 IoT Edge 设备功能For examples of how the scripts work, see Create demo certificates to test IoT Edge device features.

提示

要通过 IoT Edge 连接设备 IoT“叶”设备和使用 IoT 设备 SDK 的应用程序,必须将可选的 GatewayHostName 参数添加到设备连接字符串的末尾。To connect your device IoT "leaf" devices and applications that use our IoT device SDK through IoT Edge, you must add the optional GatewayHostName parameter on to the end of the device's connection string. 生成 Edge 中心服务器证书时,该证书基于 config.yaml 中主机名的小写版本,因此,为使要匹配的名称和 TLS 证书验证成功,应以小写形式输入 GatewayHostName 参数。When the Edge Hub Server Certificate is generated, it is based on a lower-cased version of the hostname from config.yaml, therefore, for the names to match and the TLS certificate verification to succeed, you should enter the GatewayHostName parameter in lower case.

IoT Edge 证书层次结构示例Example of IoT Edge certificate hierarchy

为举例说明此证书路径,以下屏幕截图来自正在运行的设置为透明网关的 IoT Edge 设备。To illustrate an example of this certificate path, the following screenshot is from a working IoT Edge device set up as a transparent gateway. OpenSSL 用于连接到 IoT Edge 中心,验证和转储证书。OpenSSL is used to connect to the IoT Edge hub, validate, and dump out the certificates.

每个级别的证书层次结构的屏幕截图

可以在屏幕截图中看到证书深度的层次结构:You can see the hierarchy of certificate depth represented in the screenshot:

根 CA 证书Root CA Certificate 仅限 Azure IoT 中心 CA 证书测试Azure IoT Hub CA Cert Test Only
中间 CA 证书Intermediate CA Certificate 仅限 Azure IoT 中心中间证书测试Azure IoT Hub Intermediate Cert Test Only
设备 CA 证书Device CA Certificate iotgateway.ca(将“iotgateway”作为 <网关主机名> 传递给便利脚本)iotgateway.ca ("iotgateway" was passed in as the < gateway host name > to the convenience scripts)
工作负载 CA 证书Workload CA Certificate iotedge workload caiotedge workload ca
IoT Edge 中心服务器证书IoT Edge Hub Server Certificate iotedgegw.local(与 config.yaml 中的“主机名”匹配)iotedgegw.local (matches the 'hostname' from config.yaml)

后续步骤Next steps

了解 Azure IoT Edge 模块Understand Azure IoT Edge modules

配置 IoT Edge 设备以充当透明网关Configure an IoT Edge device to act as a transparent gateway