[MUST] Please follow up tutorial-x509-self-sign
For your reference, prepare example log as below: Notice! device ID = "W5100S_EVB_PICO_X509"
MINGW64 ~
$ mkdir certi
MINGW64 ~
$ cd certi/
MINGW64 ~/certi
$ openssl genpkey -out device1.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
......................................+++++
.........................................................+++++
MINGW64 ~/certi
$ openssl req -new -key device1.key -out device1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:W5100S_EVB_PICO_X509
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
MINGW64 ~/certi
$ openssl req -text -in device1.csr -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = W5100S_EVB_PICO_X509
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bb:ba:cb:62:7a:ce:ac:4d:ff:88:c7:1a:ad:6a:
b4:6b:83:cc:30:74:94:7b:d2:8c:ed:6f:37:bf:c2:
...
ff:17:35:fb:78:d8:a8:31:04:a6:dd:89:f5:d6:fd:
a2:8e:e2:b3:62:d4:96:f2:9b:80:b5:22:4a:e2:6f:
88:e3
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
7e:de:0e:58:a6:44:c4:a6:76:12:be:a5:e0:80:35:90:ec:cb:
...
73:ca:29:5f:36:d9:cd:1c:1e:34:98:c3:9a:a8:93:ef:28:f4:
a9:45:f9:4e
MINGW64 ~/certi
$ openssl x509 -req -days 365 -in device1.csr -signkey device1.key -out device1.crt
Signature ok
subject=CN = W5100S_EVB_PICO_X509
Getting Private key
MINGW64 ~/certi
$ openssl genpkey -out device2.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
............................................................................................................................+++++
.....+++++
MINGW64 ~/certi
$ openssl req -new -key device2.key -out device2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:W5100S_EVB_PICO_X509
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
MINGW64 ~/certi
$ openssl x509 -req -days 365 -in device2.csr -signkey device2.key -out device2.crt
Signature ok
subject=CN = W5100S_EVB_PICO_X509
Getting Private key
MINGW64 ~/certi
$ openssl x509 -in device1.crt -noout -fingerprint
SHA1 Fingerprint=F3:61:90:1F:B5:76:xx:xx:xx:xx:9B:51:4F:51
MINGW64 ~/certi
$ openssl x509 -in device2.crt -noout -fingerprint
SHA1 Fingerprint=09:75:4F:7F:14:xx:xx:xx:xx:38:8B:D5:0D
MINGW64 ~/certi
$- Provide the Device ID that matches the subject name of your two certificates. In this example, "W5100S_EVB_PICO_X509"
- Select the X.509 Self-Signed authentication type.
- Paste the hex string thumbprints that you copied from your device primary and secondary certificates. Make sure that the hex strings have no colon delimiters.
-
Get the key value from files (device1.crt, device1.key) as below:
-
Edit
RP2040-HAT-AZURE-C/exmaples/sample_certs.cwith generated certificates as upper. Connection string for this example is"HostName=twarelabhub.azure-devices.net;DeviceId=W5100S_EVB_PICO_X509;x509=true"
#include "azure_samples.h"
/* Paste in the your iothub connection string */
const char pico_az_connectionString[] = "[device connection string]";
const char pico_az_x509connectionString[] = "HostName=my-rp2040-hub.azure-devices.net;DeviceId=my-rp2040-device-cli-x509;x509=true";
const char pico_az_x509certificate[] =
"-----BEGIN CERTIFICATE-----""\n"
"MIIDrTCCApUCFEjR3/7wNgnUOqY5hxGBR92pVjZ3MA0GCSqGSIb3DQEBCwUAMIGS""\n"
"MQswCQYDVQQGEwJLUjEUMBIGA1UECAwLR3llb25nZ2ktZG8xFDASBgNVBAcMC1Nl""\n"
...
"v7wvi4IZvXDFtF+CiE8L3Ym13V+gp2ZJhA7eeeYOBHgr0fcNqCEJScQTopZNfZjA""\n"
"OgWA3VyB8jR6Pxx5DmLwsFm0aYnu+f6xA1lHJs+xeajb""\n"
"-----END CERTIFICATE-----";
const char pico_az_x509privatekey[] =
"-----BEGIN PRIVATE KEY-----""\n"
"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDAekFjSy6DRyxI""\n"
"B7nSN8znN3Ki9iZM066Zm8VVmm/LRk+TqZ1kfGTS97SzdAX7xuQDCJG0vqlyd+BP""\n"
...
"w6ffC61aVKczE4xiVdIcUh5lOFTK9gi9pOuHvPDHy9ilWGmmetrc/bFRmHcjlW7I""\n"
"o4rWl8O9TIKUL0ViCDsGSg==""\n"
"-----END PRIVATE KEY-----";- Select example in main.c
In the following RP2040-HAT-AZURE-C/exmaples/main.c source file, find the line similar to this and replace it as you want:
(...)
// The application you wish to use should be uncommented
//
//#define APP_TELEMETRY
//#define APP_C2D
#define APP_CLI_X509
//#define APP_PROV_X509
// The application you wish to use DHCP mode should be uncommented
#define _DHCP
static wiz_NetInfo g_net_info =
{
.mac = {0x00, 0x08, 0xDC, 0x12, 0x34, 0x56}, // MAC address
.ip = {192, 168, 11, 2}, // IP address
.sn = {255, 255, 255, 0}, // Subnet Mask
.gw = {192, 168, 11, 1}, // Gateway
.dns = {8, 8, 8, 8}, // DNS server
#ifdef _DHCP
.dhcp = NETINFO_DHCP // DHCP enable/disable
#else
// this example uses static IP
.dhcp = NETINFO_STATIC
#endif
};Run make command
(PWD) RP2040-HAT-AZURE-C/build/examples
$ make
[ 12%] Built target AZURE_SDK_FILES
[ 12%] Built target bs2_default
[ 12%] Built target bs2_default_padded_checksummed_asm
[ 12%] Built target W5100S_FILES
[ 13%] Built target ETHERNET_FILES
[ 13%] Built target DHCP_FILES
[ 13%] Built target DNS_FILES
[ 21%] Built target SNTP_FILES
[ 43%] Built target AZURE_SDK_PORT_FILES
[ 43%] Performing build step for 'ELF2UF2Build'
[100%] Built target elf2uf2
[ 43%] No install step for 'ELF2UF2Build'
[ 43%] Completed 'ELF2UF2Build'
[ 44%] Built target ELF2UF2Build
[ 56%] Built target mbedcrypto
[ 58%] Built target mbedx509
[ 59%] Built target mbedtls
[ 66%] Built target TIMER_FILES
[ 73%] Built target SPI_FILES
Consolidate compiler generated dependencies of target main
[ 75%] Building C object examples/CMakeFiles/main.dir/main.c.obj
[ 75%] Linking CXX executable main.elf
[100%] Built target main
Open "COM" port to see debug code
Add device in your Azure IoT Hub
Create a device with X.509 Self-Signed
- Copy fingerprint string as desribed 1.1. Developer PC - Generate Device self-signed certificates
Check the device in the "device list"
Click the device name created in the previous section
Go to "Telemetry" menu and click "Start"
Wait for incoming messages
(PWD) RP2040-HAT-AZURE-C/build/examples
$ cp main.uf2 /f/
Connect to Azure IoT Hub and start to verify the device with X.509 authentication
Send messages to Azure IoT Hub
You can see the incoming messages from your IoT device
