使用 X.509 CA 证书进行设备身份验证Device Authentication using X.509 CA Certificates

本文介绍如何使用 X.509 证书颁发机构 (CA) 证书对连接 IoT 中心的设备进行身份验证。This article describes how to use X.509 Certificate Authority (CA) certificates to authenticate devices connecting IoT Hub. 在本文中,将了解:In this article you will learn:

  • 如何获取 X.509 CA 证书How to get an X.509 CA certificate
  • 如何将 X.509 CA 证书注册到 IoT 中心How to register the X.509 CA certificate to IoT Hub
  • 如何使用 X.509 CA 证书为设备签名How to sign devices using X.509 CA certificates
  • 如何对使用 X.509 CA 签名的设备进行身份验证How devices signed with X.509 CA are authenticated

概述Overview

借助 X.509 CA 功能,可以使用证书颁发机构 (CA) 在 IoT 中心进行设备身份验证。The X.509 CA feature enables device authentication to IoT Hub using a Certificate Authority (CA). 此功能极大地简化了初始设备登记过程,以及设备制造期间的供应链后勤。It greatly simplifies initial device enrollment process, and supply chain logistics during device manufacturing. 在这篇有关使用 X.509 CA 证书进行设备身份验证所获得的价值的方案文章中了解详细信息Learn more in this scenario article about the value of using X.509 CA certificates for device authentication. 我们建议在继续学习之前先阅读此方案文章,因为其中解释了为何要执行本文稍后所述的步骤。We encourage you to read this scenario article before proceeding as it explains why the steps that follow exist.

先决条件Prerequisite

使用 X.509 CA 功能需要有一个 IoT 中心帐户。Using the X.509 CA feature requires that you have an IoT Hub account. 了解如何创建 IoT 中心实例(如果没有)。Learn how to create an IoT Hub instance if you don't already have one.

如何获取 X.509 CA 证书How to get an X.509 CA certificate

X.509 CA 证书位于每个设备的证书链的顶层。The X.509 CA certificate is at the top of the chain of certificates for each of your devices. 可以根据目标用途购买或创建该证书。You may purchase or create one depending on how you intend to use it.

对于生产环境中,我们建议从公共根证书颁发机构购买 X.509 CA 证书。For production environment, we recommend that you purchase an X.509 CA certificate from a public root certificate authority. 购买 CA 证书的好处是可让根 CA 充当受信任的第三方,确保设备的合法性。Purchasing a CA certificate has the benefit of the root CA acting as a trusted third party to vouch for the legitimacy of your devices. 如果希望设备加入开放的 IoT 网络,并且预期设备在该网络中与第三方产品或服务交互,请考虑此选项。Consider this option if you intend your devices to be part of an open IoT network where they are expected to interact with third-party products or services.

也可以创建自签名的 X.509 CA 用于试验,或者在闭合型 IoT 网络中使用。You may also create a self-signed X.509 CA for experimentation or for use in closed IoT networks.

不管 X.509 CA 证书是如何获取的,都请确保保持其相应私钥的机密性,并始终对此私钥进行保护。Regardless of how you obtain your X.509 CA certificate, make sure to keep its corresponding private key secret and protected at all times. 这是确保能够在 X.509 CA 身份验证中建立信任的必要措施。This is necessary for trust building trust in the X.509 CA authentication.

了解如何创建自签名的 CA 证书(在这整篇功能介绍中可用于试验)。Learn how to create a self-signed CA certificate, which you can use for experimentation throughout this feature description.

在证书信任链中为设备签名Sign devices into the certificate chain of trust

X.509 CA 证书的所有者能以加密方式为某个中间 CA 签名,而该 CA 又能为另一个中间 CA 签名,依此类推,直到最后一个中间 CA 通过为设备签名来终止此过程。The owner of an X.509 CA certificate can cryptographically sign an intermediate CA who can in turn sign another intermediate CA, and so on, until the last intermediate CA terminates this process by signing a device. 结果是一个称为证书信任链的级联证书链。The result is a cascaded chain of certificates known as a certificate chain of trust. 在现实生活中,此过程的运作方式是向签名设备委托信任。In real life this plays out as delegation of trust towards signing devices. 这种委托十分重要,因为它能够建立一种加密的可变监护链,并避免共享签名密钥。This delegation is important because it establishes a cryptographically variable chain of custody and avoids sharing of signing keys.

img-generic-cert-chain-of-trust

设备证书(也称页证书)必须将“所有者名称”设置为 设备 ID,后者是在 Azure IoT 中心注册 IoT 设备时使用过的。The device certificate (also called a leaf certificate) must have the Subject Name set to the Device ID that was used when registering the IoT device in the Azure IoT Hub. 身份验证需要此设置。This setting is required for authentication.

在此处了解如何像为设备签名时一样创建证书链Learn here how to create a certificate chain as done when signing devices.

如何将 X.509 CA 证书注册到 IoT 中心How to register the X.509 CA certificate to IoT Hub

将 X.509 CA 证书注册到 IoT 中心,在注册和连接期间,此证书将用于对设备进行身份验证。Register your X.509 CA certificate to IoT Hub where it will be used to authenticate your devices during registration and connection. 注册 X.509 CA 证书的过程由两个步骤构成,包括证书文件上传和所有权证明。Registering the X.509 CA certificate is a two-step process that comprises certificate file upload and proof of possession.

上传过程需要上传包含证书的文件。The upload process entails uploading a file that contains your certificate. 此文件不得包含任何私钥。This file should never contain any private keys.

所有权证明步骤涉及到在你与 IoT 中心之间执行加密质询和响应过程。The proof of possession step involves a cryptographic challenge and response process between you and IoT Hub. 假设数字证书内容是公开的,因而容易遭到窃听,则 IoT 中心需要确认 CA 证书真正由你拥有。Given that digital certificate contents are public and therefore susceptible to eavesdropping, IoT Hub would like to ascertain that you really own the CA certificate. 为此,IoT 中心将会生成一个必须使用 CA 证书的相应私钥签名的随机质询。It shall do so by generating a random challenge that you must sign with the CA certificate's corresponding private key. 如果如前所述保持私钥的机密性并对其进行保护,则只有你才能拥有所需的信息来完成此步骤。If you kept the private key secret and protected as earlier advised, then only you will possess the knowledge to complete this step. 私钥的机密性是此方法的信任源。Secrecy of private keys is the source of trust in this method. 为质询签名后,可通过上传包含结果的文件来完成此步骤。After signing the challenge, complete this step by uploading a file containing the results.

在此处了解如何注册 CA 证书Learn here how to register your CA certificate.

如何在 IoT 中心创建设备How to create a device on IoT Hub

为了防止设备模拟,IoT 中心要求告知设备的预期。To preclude device impersonation, IoT Hub requires you to let it know what devices to expect. 为此,可在 IoT 中心的设备注册表中创建一个设备条目。You do this by creating a device entry in the IoT Hub's device registry. 使用 IoT 中心设备预配服务时,此过程会自动执行。This process is automated when using IoT Hub Device Provisioning Service.

在此处了解如何在 IoT 中心手动创建设备Learn here how to manually create a device in IoT Hub.

为 IoT 中心创建 X.509 设备Create an X.509 device for your IoT hub

对使用 X.509 CA 证书签名的设备进行身份验证Authenticating devices signed with X.509 CA certificates

注册 X.509 CA 证书并在证书信任链中为设备签名后,剩余的操作就是在设备连接时(甚至包括首次连接)进行设备身份验证。With X.509 CA certificate registered and devices signed into a certificate chain of trust, what remains is device authentication when the device connects, even for the first time. 当 X.509 CA 签名的设备建立连接时,会上传其证书链用于验证。When an X.509 CA signed device connects, it uploads its certificate chain for validation. 该链包含所有中间 CA 和设备证书。The chain includes all intermediate CA and device certificates. 使用此信息,IoT 中心可通过一个两步过程对设备进行身份验证。With this information, IoT Hub authenticates the device in a two-step process. IoT 中心以加密方式验证证书链的内部一致性,然后向设备发出所有权证明质询。IoT Hub cryptographically validates the certificate chain for internal consistency, and then issues a proof-of-possession challenge to the device. 如果设备返回了所有权证明成功响应,则 IoT 中心会声明该设备可信。IoT Hub declares the device authentic on a successful proof-of-possession response from the device. 此声明假设设备的私钥受到保护,并且只有该设备才能成功响应此质询。This declaration assumes that the device's private key is protected and that only the device can successfully respond to this challenge. 我们建议使用设备中的安全芯片(例如硬件安全模块 (HSM))来保护私钥。We recommend use of secure chips like Hardware Secure Modules (HSM) in devices to protect private keys.

设备成功连接到 IoT 中心后,身份验证过程即告完成,这也表明设置正确。A successful device connection to IoT Hub completes the authentication process and is also indicative of a proper setup.

在此处了解如何完成此设备连接步骤Learn here how to complete this device connection step.

后续步骤Next Steps

了解 IoT 中 X.509 CA 身份验证的价值Learn about the value of X.509 CA authentication in IoT.

开始使用 IoT 中心设备预配服务Get started with IoT Hub Device Provisioning Service.