Missing documentation on how to authenticate Module identities with X.509

[CIPop]

There is missing documentation on how to authenticate a Module using X.509: the CN must match the “Module Identity Name” exactly as listed in Portal:

EDIT: following issue was solved by @FaehnrichLE in Azure/azure-iot-sdk-c#2506 (reply in thread)
The problem is that OpenSSL will not allow a “/” character in the name. I have tried in multiple ways but I keep getting an error:

openssl req -new -key chain1levelclient1m1ss_key.pem -out chain1levelclient1m1ss.csr -subj 'CN=chain1levelclient1/chain1levelclient1m1'~~

name is expected to be in the format /type0=value0/type1=value1/type2=... where characters may be escaped by . This name is not in that format: >'CN=chain1levelclient1/chain1levelclient1m1'
problems making Certificate Request

The above command fails due to missing / before CN: openssl req -new -key chain1levelclient1m1ss_key.pem -out chain1levelclient1m1ss.csr -subj '/CN=chain1levelclient1\/chain1levelclient1m1' should work as expected.

I have successfully used CFSSL instead (also using OpenSSL internally) to generate a properly formatted certificate:

See https://github.com/CIPop/certificates for my CFSSL scripts that can be modified to generate these certificates:

./show.sh cfssl1lclient1m1.pem
{
  "subject": {
    "common_name": "cfssl1lclient1/cfssl1lclient1m1",
    "names": [
      "cfssl1lclient1/cfssl1lclient1m1"
    ]
  }
[…]

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 1b054359-33aa-0264-4847-88f41a48587b
• Version Independent ID: f765a1ae-3fe5-074b-f627-765beba6d35c
• Content: Get started with module identity and module twins (C) - Azure IoT Hub
• Content Source: articles/iot-hub/module-twins-c.md
• Service: iot-hub
• GitHub Login: @kgremban
• Microsoft Alias: kgremban

[YashikaTyagii]

@CIPop
Thanks for your feedback! We will investigate and update as appropriate.

[LeelaRajesh-Sayana]

Hi @CIPop, we have escalated this issue to our Content SME. They will review the feedback and take appropriate action.

Best regards,
Leela.

[CIPop]

Adding back-link from a question within our repo (not sure why, GitHub did not do this automatically): Azure/azure-iot-sdk-c#2506

[CIPop]

Looks like not everybody can comment on issues. Adding here an excellent observation @FaehnrichLE made in Azure/azure-iot-sdk-c#2506 (reply in thread)

I tried to comment on that issue but it says I can't comment at this time. Here's what I was going to comment:

I was able to generate a csr using openssl.

The issue I believe in your command above was there wasn't a '/' at the beginning of CN.

Here's the command that worked for me.

openssl req -new -key DEV-HW-00000001m1.key.pem -out DEV-HW-00000001m1.csr -subj "/CN=DEV-HW-00000001\/module01"
I'm currently testing to see if I can provision a module under the device with this new file.