概念性理解 IoT 行业中的 X.509 CA 证书Conceptual understanding of X.509 CA certificates in the IoT industry

本文介绍在 IoT 设备制造及向 IoT 中心进行身份验证时使用 X.509 证书颁发机构 (CA) 证书的重要性。This article describes the value of using X.509 certificate authority (CA) certificates in IoT device manufacturing and authentication to IoT Hub. 内容包括供应链设置及突出优点的相关信息。It includes information about supply chain setup and highlight advantages.

本文介绍:This article describes:

  • X.509 CA 证书的含义及获取方式What X.509 CA certificates are and how to get them
  • 如何向 IoT 中心注册 X.509 CA 证书How to register your X.509 CA certificate to IoT Hub
  • 如何为基于 X.509 CA 的身份验证设置制造供应链How to set up a manufacturing supply chain for X.509 CA-based authentication
  • 使用 X.509 CA 签名的设备如何连接到 IoT 中心How devices signed with X.509 CA connect to IoT Hub


使用 X.509 证书颁发机构 (CA) 身份验证的设备的以下功能尚未正式发布,必须启用预览模式The following functionality for devices that use X.509 certificate authority (CA) authentication is not yet generally available, and preview mode must be enabled:

  • HTTPS、基于 WebSocket 的 MQTT 和基于 WebSocket 的 AMQP 协议。HTTPS, MQTT over WebSockets, and AMQP over WebSockets protocols.
  • 文件上传(所有协议)。File uploads (all protocols).

它在使用 X.509 指纹身份验证的设备上已正式发布。It is generally available on devices that use X.509 thumbprint authentication. 若要了解有关使用 IoT 中心进行 x.509 身份验证的详细信息,请参阅支持的 x.509 证书To learn more about X.509 authentication with IoT Hub, see Supported X.509 certificates.


X.509 证书颁发机构 (CA) 身份验证可用于向 IoT 中心进行设备身份验证,所用方法极大地简化了设备标识创建和供应链中的生命周期管理。X.509 Certificate Authority (CA) authentication is an approach for authenticating devices to IoT Hub using a method that dramatically simplifies device identity creation and life-cycle management in the supply chain.

X.509 CA 身份验证的一个特有属性是,CA 证书与其下游设备具有一对多关系。A distinguishing attribute of the X.509 CA authentication is a one-to-many relationship a CA certificate has with its downstream devices. 由于此种关系,只需注册一次 X.509 CA 证书,即可将任意数目的设备注册到 IoT 中心,若使用设备唯一证书,则必须为每台设备预注册证书,然后设备才可连接。This relationship enables registration of any number of devices into IoT Hub by registering an X.509 CA certificate once, otherwise device unique certificates must be pre-registered for every device before a device can connect. 这种一对多关系还可简化设备证书生命周期管理操作。This one-to-many relationship also simplifies device certificates life-cycle management operations.

X.509 CA 身份验证的另一重要属性是简化了供应链逻辑。Another important attribute of the X.509 CA authentication is simplification of supply chain logistics. 设备的安全身份验证要求每台设备拥有唯一机密(如密钥),以作为信任基础。Secure authentication of devices requires that each device holds a unique secret like a key as basis for trust. 在基于证书的身份验证中,此机密即为私钥。In certificates-based authentication, this secret is a private key. 典型的设备制造流程需要多个步骤及多个保管人。A typical device manufacturing flow involves multiple steps and custodians. 跨多个保管人安全管理设备私钥并维持信任十分困难且成本高昂。Securely managing device private keys across multiple custodians and maintaining trust is difficult and expensive. 使用证书颁发机构即可解决此问题,因其将每个保管人签名到加密信任链,而不是将设备私钥委托给他们。Using certificate authorities solves this problem by signing each custodian into a cryptographic chain of trust rather than entrusting them with device private keys. 每个保管人转而在各自的制造流过程步骤中对设备进行签名。Each custodian in turn signs devices at their respective process step of the manufacturing flow. 整体结果是通过使用加密信任链、借助内置职责优化了供应链。The overall result is an optimal supply chain with built-in accountability through use of the cryptographic chain of trust. 值得注意的是,在设备保护其唯一私钥时,此过程可实现最大安全性。It is worth noting that this process yields the most security when devices protect their unique private keys. 为此,我们强烈建议使用支持内部生成私钥的硬件安全模块 (HSM),让私钥得到最佳保护。To this end, we urge the use of Hardware Secure Modules (HSM) capable of internally generating private keys that will never see the light of day.

本文连贯地介绍如何使用 X.509 CA 身份验证(从供应链设置到设备连接),同时利用真实示例增强理解。This article offers an end-to-end view of using the X.509 CA authentication, from supply chain setup to device connection, while making use of a real world example to solidify understanding.

还可以将注册组与 Azure IoT 中心设备预配服务 (DPS) 配合使用,以便处理将设备预配到中心的操作。You can also use enrollment groups with the Azure IoT Hub Device Provisioning Service (DPS) to handle provisioning of devices to hubs.


X.509 CA 证书是一种数字证书,该证书的持有者可对其他证书进行签名。The X.509 CA certificate is a digital certificate whose holder can sign other certificates. 此数字证书为 X.509,因为它符合 IETF RFC 5280 标准规定的证书格式标准;它也是一个证书颁发机构 (CA),因为其持有者可对其他证书进行签名。This digital certificate is X.509 because it conforms to a certificate formatting standard prescribed by IETF's RFC 5280 standard, and is a certificate authority (CA) because its holder can sign other certificates.

联系具体示例可更好地理解 X.509 CA 的用法。The use of X.509 CA is best understood in relation to a concrete example. 假设 X 公司是智能 X 小组件的制造商,同时承诺专业安装。Consider Company-X, a maker of Smart-X-Widgets designed for professional installation. X 公司将制造和安装外包。Company-X outsources both manufacturing and installation. 合同规定生产商 Y 工厂负责生产智能 X 小组件、服务提供商 Z 技术人员负责安装。It contracts manufacturer Factory-Y to manufacture the Smart-X-Widgets, and service provider Technician-Z to install. X 公司希望将智能 X 小组件从 Y 工厂直接运送给 Z 技术人员以供安装,安装完成后,直接将小组件连接到 X 公司的 IoT 中心实例,而无需 X 公司更多干预。Company-X desires that Smart-X-Widget directly ships from Factory-Y to Technician-Z for installation and that it connects directly to Company-X's instance of IoT Hub after installation without further intervention from Company-X. 为实现这一目的,X 公司需完成几个一次性安装操作,对智能 X 小组件进行优化以实现自动连接。To make this happen, Company-X need to complete a few one-time setup operations to prime Smart-X-Widget for automatic connection. 考虑到端到端方案,本文其余部分的结构如下:With the end-to-end scenario in mind, the rest of this article is structured as follows:

  • 获取 X.509 CA 证书Acquire the X.509 CA certificate

  • 向 IoT 中心注册 X.509 CA 证书Register X.509 CA certificate to IoT Hub

  • 将设备签名到证书信任链Sign devices into a certificate chain of trust

  • 设备连接Device connection

获取 X.509 CA 证书Acquire the X.509 CA certificate

X 公司可通过公共根证书颁发机构购买 X.509 CA 证书,也可通过自签名流程创建一个证书。Company-X has the option of purchasing an X.509 CA certificate from a public root certificate authority or creating one through a self-signed process. 这两个选项中会有一个优于另一个,具体取决于应用程序方案。One option would be optimal over the other depending on the application scenario. 无论选择哪个选项,过程均包含 2 个基础步骤:生成公钥/私钥对、将公钥签名到证书。Regardless of the option, the process entails two fundamental steps, generating a public/private key pair and signing the public key into a certificate.

生成 X509CA 证书的流程

不同服务提供商完成这些步骤的方式详情有所不同。Details on how to accomplish these steps differ with various service providers.

购买 X.509 CA 证书Purchasing an X.509 CA certificate

购买 CA 证书的好处是可让知名根 CA 充当可信第三方,确保设备连接时 IoT 设备的合法性。Purchasing a CA certificate has the benefit of having a well-known root CA act as a trusted third party to vouch for the legitimacy of IoT devices when the devices connect. 如果 X 公司希望智能 X 小组件在与 IoT 中心进行初始连接后可与第三方产品或服务进行交互,则可选择此选项。Company-X would choose this option if they intend Smart-X-Widget to interact with third party products or services after initial connection to IoT Hub.

要购买 X.509 CA 证书,X 公司可选择根证书服务提供商。To purchase an X.509 CA certificate, Company-X would choose a root certificates services provider. 通过 Internet 搜索词语“根 CA”可找到一些好线索。An internet search for the phrase 'Root CA' will yield good leads. 根 CA 将指导 X 公司了解如何创建公钥/私钥对以及如何为其服务生成证书签名请求 (CSR)。The root CA will guide Company-X on how to create the public/private key pair and how to generate a Certificate Signing Request (CSR) for their services. CSR 是从证书颁发机构申请证书的正式过程。A CSR is the formal process of applying for a certificate from a certificate authority. 此次购买的证书可用作证书颁发机构证书。The outcome of this purchase is a certificate for use as an authority certificate. 由于 X.509 证书普遍存在,所以该证书格式可能已按照 IETF RFC 5280 标准正确设置。Given the ubiquity of X.509 certificates, the certificate is likely to have been properly formatted to IETF's RFC 5280 standard.

创建自签名 X.509 CA 证书Creating a Self-Signed X.509 CA certificate

除了需要根证书颁发机构等第三方签名人之外,创建自签名 X.509 CA 证书的过程与购买过程相同。The process to create a Self-Signed X.509 CA certificate is similar to purchasing with the exception of involving a third party signer like the root certificate authority. 在本例中,X 公司要对其授权证书进行签名,而不是向根证书颁发机构购买。In our example, Company-X will sign its authority certificate instead of a root certificate authority. 在 X 公司准备好购买证书颁发机构证书前,他们可能会选择此选项进行测试。Company-X may choose this option for testing until they're ready to purchase an authority certificate. 如果 X 公司不打算将智能 X 小组件连接到 IoT 中心外任何第三方服务,则他们也可以在生产中使用自签名 X.509 CA 证书。Company-X may also use a self-signed X.509 CA certificate in production, if Smart-X-Widget is not intended to connect to any third party services outside of the IoT Hub.

向 IoT 中心注册 X.509 证书Register the X.509 certificate to IoT Hub

X 公司需要向 IoT 中心注册 X.509 CA,IoT 中心将在智能 X 小组件进行连接时对其进行身份验证。Company-X needs to register the X.509 CA to IoT Hub where it will serve to authenticate Smart-X-Widgets as they connect. 这个过程是一次性的,完成后即可对任何数量的智能 X 小组件设备进行身份验证和管理。This is a one-time process that enables the ability to authenticate and manage any number of Smart-X-Widget devices. 由于 CA 证书和通过 CA 证书或中间证书签名的设备证书之间的一对多关系,因此这是一次性过程。This is a one-time process because of a one-to-many relationship between CA certificate and device certificates that are signed by the CA certificate or an intermediate certificate. 此关系是使用 X.509 CA 身份验证方法的主要优点之一。This relationship constitutes one of the main advantages of using the X.509 CA authentication method. 另一种方法是为每个智能 X 小组件设备上传单个证书指纹,但这会增加运营成本。The alternative is to upload individual certificate thumbprints for each and every Smart-X-Widget device thereby adding to operational costs.

注册 X.509 CA 证书的过程包含 2 个步骤:证书上传、证书所有权证明。Registering the X.509 CA certificate is a two-step process, the certificate upload and certificate proof-of-possession.

注册 X509CA 证书

X.509 CA 证书上传X.509 CA Certificate Upload

X.509 CA 证书上传进程指将 CA 证书上传到 IoT 中心。The X.509 CA certificate upload process is just that, upload the CA certificate to IoT Hub. IoT 中心希望证书包含在文件内。IoT Hub expects the certificate in a file. X 公司只需上传证书文件。Company-X simply uploads the certificate file. 在任何情况下,证书文件都不能包含任何私钥。The certificate file MUST NOT under any circumstances contain any private keys. 公钥基础结构 (PKI) 标准的最佳做法要求,X 公司在此情况下的专有知识完全属于 X 公司。Best practices from standards governing Public Key Infrastructure (PKI) mandates that knowledge of Company-X's private in this case resides exclusively within Company-X.

证书的所有权证明Proof-of-Possession of the Certificate

与所有数字证书相同,X.509 CA 证书也是易遭窃听的公共信息。The X.509 CA certificate, just like any digital certificate, is public information that is susceptible to eavesdropping. 因此,窃听者可能会拦截证书并尝试将其作为自己的证书进行上传。As such, an eavesdropper may intercept a certificate and try to upload it as their own. 在本示例中,IoT 中心会确保 X 公司上传的 CA 证书确实属于 X 公司。In our example, IoT Hub would like to make sure that the CA certificate Company-X is uploading really belongs to Company-X. 实现这一目的的方法是:要求 X 公司通过所有权证明 (PoP) 流程证明他们实际上拥有该证书。It does so by challenging Company-X to proof that they in fact possess the certificate through a proof-of-possession (PoP) flow. 所有权证明流程要求 IoT 中心生成随机数字,X 公司将使用其私钥对该数字进行签名。The proof-of-possession flow entails IoT Hub generating a random number to be signed by Company-X using its private key. 如果 X 公司遵循了 PKI 最佳做法并保护了私钥,那么只有他们才能够正确响应所有权证明质疑。If Company-X followed PKI best practices and protected their private key then only they would be in position to correctly respond to the proof-of-possession challenge. 成功响应所有权证明质疑后,IoT 中心会继续注册 X.509 CA 证书。IoT Hub proceeds to register the X.509 CA certificate upon a successful response of the proof-of-possession challenge.

成功响应 IoT 中心的所有权证明质疑后,即可完成 X.509 CA 注册。A successful response to the proof-of-possession challenge from IoT Hub completes the X.509 CA registration.

将设备签名到证书信任链Sign Devices into a Certificate Chain of Trust

IoT 要求每台设备均拥有唯一标识。IoT requires every device to possess a unique identity. 这些标识位于表单证书中,可用于基于证书的身份验证方案。These identities are in the form certificates for certificate-based authentication schemes. 在本示例中,这意味着每个智能 X 小组件必须拥有唯一设备证书。In our example, this means every Smart-X-Widget must possess a unique device certificate. X 公司如何在其供应链中对此进行设置?How does Company-X setup for this in its supply chain?

一种方法是为智能 X 小组件预生成证书,并将相应唯一设备私钥的知识委托给供应链合作伙伴。One way to go about this is to pre-generate certificates for Smart-X-Widgets and entrusting knowledge of corresponding unique device private keys with supply chain partners. 对于 X 公司,这意味着委托 Y 工厂和 Z 技术人员。For Company-X, this means entrusting Factory-Y and Technician-Z. 虽然这种方法有效,但同时也必须解决一些问题才可确保信任度,如下所示:While this is a valid method, it comes with challenges that must be overcome to ensure trust as follows:

  1. 除了忽略 PKI 最佳做法(绝不共享私钥)外,还必须与供应链合作伙伴共享设备私钥,这使得供应链中的信任构建成本高昂。Having to share device private keys with supply chain partners, besides ignoring PKI best practices of never sharing private keys, makes building trust in the supply chain expensive. 这意味着需要安装资本系统(如存放设备私钥的安全空间)和建立定期安全审核等流程。It means capital systems like secure rooms to house device private keys, and processes like periodic security audits need to be installed. 这两者均会增加供应链成本。Both add cost to the supply chain.

  2. 从设备唯一证书(和私钥)生成到设备停用,对每个密钥-设备对而言,在供应链中安全照管设备以及之后在部署中管理它们都是一项一对一任务。Securely accounting for devices in the supply chain and later managing them in deployment becomes a one-to-one task for every key-to-device pair from the point of device unique certificate (hence private key) generation to device retirement. 这妨碍设备的组管理,除非以某种方式将组的概念明确嵌入该过程。This precludes group management of devices unless the concept of groups is explicitly built into the process somehow. 因此,安全照管设备和设备生命周期管理成为沉重的运营负担。Secure accounting and device life-cycle management, therefore, becomes a heavy operations burden. 在本例中,X 公司须自行承担该负担。In our example, Company-X would bear this burden.

X.509 CA 证书身份验证通过使用证书链为前面列出的问题提供了漂亮的解决方案。X.509 CA certificate authentication offers elegant solutions to afore listed challenges through the use of certificate chains. 证书链如此生成:一个 CA 对一个中间 CA 进行签名,这个中间 CA 转而对另一个中间 CA 进行签名,这样继续,直到最后一个中间 CA 对设备进行签名。A certificate chain results from a CA signing an intermediate CA that in turn signs another intermediate CA and so goes on until a final intermediate CA signs a device. 在本例中,X 公司对 Y 工厂进行签名,Y 工厂转而对 Z 技术人员进行签名,而 Z 技术人员最后要对智能 X 小组件进行签名。In our example, Company-X signs Factory-Y, which in turn signs Technician-Z that finally signs Smart-X-Widget.


上述证书链中的证书传递体现了授权的逻辑转移。Above cascade of certificates in the chain presents the logical hand-off of authority. 许多供应链都遵循这种逻辑转移,每个中间 CA 在接收所有上游 CA 证书时被签名到链中,最后一个中间 CA 最后对每台设备进行签名并将链中的授权构证书引入设备。Many supply chains follow this logical hand-off whereby each intermediate CA gets signed into the chain while receiving all upstream CA certificates, and the last intermediate CA finally signs each device and inject all the authority certificates from the chain into the device. 这种做法常见于具有工厂层次结构的合同制造公司委托特定工厂进行生产的情况。This is common when the contract manufacturing company with a hierarchy of factories commissions a particular factory to do the manufacturing. 层次结构可能是多级深度(例如,地理/产品类型/生产线),只有最后的工厂才会与设备进行交互,但供应链是从层次结构顶部进行维护的。While the hierarchy may be several levels deep (for example, by geography/product type/manufacturing line), only the factory at the end gets to interact with the device but the chain is maintained from the top of the hierarchy.

备用链中可能会有其他中间 CA 与设备进行交互,在这种情况下,与设备进行交互的 CA 此时会插入证书链内容。Alternate chains may have different intermediate CA interact with the device in which case the CA interacting with the device injects certificate chain content at that point. 如果只有某些 CA 与设备进行物理交互,也可使用混合模型。Hybrid models are also possible where only some of the CA has physical interaction with the device.

在本例中,Y 工厂和 Z 技术人员都会与智能 X 小组件进行交互。In our example, both Factory-Y and Technician-Z interact with the Smart-X-Widget. 虽然 X 公司拥有智能 X 小组件的所有权,但它实际上在整个供应链中并未与该产品进行物理交互。While Company-X owns Smart-X-Widget, it actually does not physically interact with it in the entire supply chain. 因此,智能 X 小组的证书信任链包括:X 公司对 Y 工厂进行签名、Y 工厂转而对 Z 技术人员进行签名,然后 Z 技术人员最后对智能 X 小组件进行签名。The certificate chain of trust for Smart-X-Widget therefore comprise Company-X signing Factory-Y which in turn signs Technician-Z that will then provide final signature to Smart-X-Widget. 智能 X 小组件的制造和安装过程包括:Y 工厂和 Z 技术人员使用各自的中间 CA 证书对每个智能 X 小组件进行签名。The manufacture and installation of Smart-X-Widget comprise Factory-Y and Technician-Z using their respective intermediate CA certificates to sign each and every Smart-X-Widgets. 整个过程的最终结果是,具有唯一设备证书和证书信任链的智能 X 小组件被纳入 X 公司 CA 证书。The end result of this entire process is Smart-X-Widgets with unique device certificates and certificate chain of trust going up to Company-X CA certificate.


这一点很好地体现了 X.509 CA 方法的重要性。This is a good point to review the value of the X.509 CA method. X 公司只需对 Y 工厂签名一次,而无需为每个智能 X 小组件预先生成证书并移交到供应链中。Instead of pre-generating and handing off certificates for every Smart-X-Widget into the supply chain, Company-X only had to sign Factory-Y once. X 公司无需在整个设备生命周期中跟踪每台设备,他们现在可以通过供应链过程中自然生成的组来跟踪和管理设备,例如,某年七月后由 Z 技术人员安装的设备。Instead of having to track every device throughout the device's life-cycle, Company-X may now track and manage devices through groups that naturally emerge from the supply chain process, for example, devices installed by Technician-Z after July of some year.

最后一项要点是,CA 身份验证方法将安全责任引入了设备制造供应链。Last but not least, the CA method of authentication infuses secure accountability into the device manufacturing supply chain. 由于证书链流程,链中每位成员的操作均已加密记录且可验证。Because of the certificate chain process, the actions of every member in the chain is cryptographically recorded and verifiable.

此过程的完成依赖于某些必须提供的假设。This process relies on certain assumptions that must be surfaced for completeness. 这要求独立创建设备唯一的公钥/私钥对,并且私钥在设备内受到保护。It requires independent creation of device unique public/private key pair and that the private key be protected within the device. 幸运的是,硬件安全模块 (HSM) 形式的安全硅芯片能够在内部生成密钥并保护私钥。Fortunately, secure silicon chips in the form of Hardware Secure Modules (HSM) capable of internally generating keys and protecting private keys exist. X 公司只需将该种芯片之一添加到智能 X 小组件的组件材料清单即可。Company-X only need to add one of such chips into Smart-X-Widget's component bill of materials.

设备连接Device Connection

前面部分一直在构建设备连接。Previous sections above have been building up to device connection. 简单通过向 IoT 中心注册一次 X.509 CA 证书,数百万台设备在首次连接时即可通过身份验证,这怎么可能?By simply registering an X.509 CA certificate to IoT Hub one time, how do potentially millions of devices connect and get authenticated from the first time? 答案很简单。通过之前注册 X.509 CA 证书所用的相同证书上传和所有权证明流程即可实现。Simple; through the same certificate upload and proof-of-possession flow we earlier encountered with registering the X.509 CA certificate.

针对 X.509 CA 身份验证所制造的设备配有设备唯一证书和其各自制造供应链的证书链。Devices manufactured for X.509 CA authentication are equipped with device unique certificates and a certificate chain from their respective manufacturing supply chain. 即使是首次连接,也只需 2 步即可实现设备连接:证书链上传、所有权证明。Device connection, even for the very first time, happens in a two-step process: certificate chain upload and proof-of-possession.

证书链上传过程中,设备会将设备唯一证书与其内部安装的证书链一并上传到 IoT 中心。During the certificate chain upload, the device uploads its device unique certificate together with the certificate chain installed within it to IoT Hub. 使用预注册的 X.509 CA 证书,IoT 中心可加密验证两个事项:上传的证书链是否内部一致;该链是否来自有效的 X.509 CA 证书所有者。Using the pre-registered X.509 CA certificate, IoT Hub can cryptographically validate a couple of things, that the uploaded certificate chain is internally consistent, and that the chain was originated by the valid owner of the X.509 CA certificate. 与 X.509 CA 注册过程一样,IoT 中心会启动一个所有权证明质疑-响应流程,以确定链和设备证书确实属于上传设备。Just was with the X.509 CA registration process, IoT Hub would initiate a proof-of-possession challenge-response process to ascertain that the chain and hence device certificate actually belongs to the device uploading it. 实现这一过程的方法是:生成随机质询,设备使用其私钥对该质询进行签名,然后由 IoT 中心进行验证。It does so by generating a random challenge to be signed by the device using its private key for validation by IoT Hub. 成功响应将促使 IoT 中心认为设备可信并允许其进行连接。A successful response triggers IoT Hub to accept the device as authentic and grant it connection.

在本示例中,每个智能 X 小组件都会将其设备唯一证书与 Y 工厂和 Z 技术人员的 X.509 CA 证书一并上传,然后响应 IoT 中心发出的所有权证明质疑。In our example, each Smart-X-Widget would upload its device unique certificate together with Factory-Y and Technician-Z X.509 CA certificates and then respond to the proof-of-possession challenge from IoT Hub.


请注意,信任的基础在于保护私钥(包括设备私钥)。Notice that the foundation of trust rests in protecting private keys including device private keys. 因此,我们一再强调使用硬件安全模块 (HSM) 形式的安全硅芯片保护设备私钥的重要性,也一再强调绝不共享任何私钥(如某工厂将其私钥委托给另一工厂)这一整体最佳做法。We therefore cannot stress enough the importance of secure silicon chips in the form of Hardware Secure Modules (HSM) for protecting device private keys, and the overall best practice of never sharing any private keys, like one factory entrusting another with its private key.