locked
How to create a Device Provisioning Service EnrollmentGroup with a Root CA Certificate through the Azure CLI 2.0? RRS feed

  • Question

  • In our project we're using the Azure Resource Manager to deploy our infrastructure.

    Recently we started using the IoT Hub Device Provisioning Service with X.509 certificate-based authentication.

    Naturally we're deploying the DPS instances with an ARM template and with a PowerShell script, that uses the Azure CLI 2.0 (with Iot extension) we're configuring the DPS instances.

    The PowerShell script uploads a Root CA certificate, goes through the proof of possession flow and then creates an enrolment group. The issue is that there seems to be no way of creating an EnrollmentGroup with the certificate type "Root CA Certificate" through the Azure CLI 2.0.

    The closest we got was using "az iot dps enrollment-group create", which requires the path to a certificate file. That seemed odd but, while testing the script, I provided the path to a local copy of the Root CA certificate which I previously uploaded. The EnrollmentGroup I ended up with had the Certificate Type set to "Intermediate Certificate" which is not what we want.

    Is there a way to create an EnrollmentGroup in my Device Provisioning Service, using the Azure CLI 2.0 tools, that has the Certificate Type set to Root CA Certificate?

    I am aware of the Iot Hub DPS service SDK, which seems to be able to create an EnrollmentGroup with an Attestation mechanism which I create. But I want to avoid the service SDK for the time being.

    It is a bit frustrating because this EnrollmentGroup is the last missing piece in the automatic deployment of our infrastructure. I'd rather not introduce heterogeneous tools in our pipeline; that's why I want to get everything done in a PowerShell script.

    Wednesday, March 21, 2018 7:23 PM

Answers

  • Hi Marius,

    I'm sorry you've hit this roadblock in your deployment! This is a gap in the CLI, and we have a work item tracking it.

    The good news is that as long as you've gone through the proof of possession flow for your CA, having the cert labeled as an "intermediate certificate" in your enrollment group will be functionally equivalent to it being of the type "Root CA Certificate." This works because the "intermediate" cert chains up to the "Root CA cert" (because they're the same), so the device will be identified as a member of that enrollment group. I've verified this works on my DPS.

    Let me know if you're having problems with that or the proof of possession step - I have the CLI commands handy for doing the proof of possession and can share if that's helpful.

    best,
    Nicole

    Wednesday, March 21, 2018 10:41 PM

All replies

  • Hi Marius,

    I'm sorry you've hit this roadblock in your deployment! This is a gap in the CLI, and we have a work item tracking it.

    The good news is that as long as you've gone through the proof of possession flow for your CA, having the cert labeled as an "intermediate certificate" in your enrollment group will be functionally equivalent to it being of the type "Root CA Certificate." This works because the "intermediate" cert chains up to the "Root CA cert" (because they're the same), so the device will be identified as a member of that enrollment group. I've verified this works on my DPS.

    Let me know if you're having problems with that or the proof of possession step - I have the CLI commands handy for doing the proof of possession and can share if that's helpful.

    best,
    Nicole

    Wednesday, March 21, 2018 10:41 PM
  • I can confirm this.

    Today my device was successfully provisioned and landed in the EnrollmentGroup which was set up with the Root CA Certificate as an Intermediate CA Certificate.

    Do you have a timeline for when this gap in the CLI will be closed?

    Thanks for the clarification!

    Thursday, March 22, 2018 8:42 AM
  • The CLI now supports creating enrollment groups by referencing the CA you wish to use. The documentation is lagging behind though.
    Tuesday, April 17, 2018 9:57 PM