How to create new iot hub with new TLS certificate root?
joe-agent opened this issue · 3 comments
Currently when we create a new iot hub, we need to run an extra command to upgrade the TLS certificate root to v2
like below:
az iot hub device-identity create -n $iotHubName -d my-data > iotDevice.json
az iot hub certificate root-authority set --hub-name $iotHubName --certificate-authority v2 -y
Is it possible to use v2
certificate when we use az iot hub device-identity create
?
If yes, how?
I am assuming you mean az iot hub create
with the v2
certificate. If so, we do not currently have a solution for this and would recommend you create a hub and then migrate it to v2. The migration will happen between February 15 and October 15 (as per https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169 and https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=cli#timeline) so this temporary command will be removed once the migration is over. We decided it is not worth adding another optional parameter to the iot hub create experience if it will be temporary.
If you were asking about how to make a device that would have the v2 certificates, please make sure that if the device uses certificate authentication, it supports the Baltimore root certificate. Please read more here: https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=cli#required-steps and https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169
@vilit1 thanks for the response.
I am assuming you mean az iot hub create with the v2 certificate.
yes
az iot hub certificate root-authority set --hub-name $iotHubName --certificate-authority v2 -y
After October 15, does the code above fail?
az iot hub device-identity create -n $iotHubName -d my-data > iotDevice.json
After October 15, is the new device created would have v2 certificates based on the code above?
If no, could you show an code snippet or example showing how to do so?
Regarding your first question, all IoT Hubs are expected to migrate by then (and the root authority certificate would already be v2) so the command will no longer be needed.
For the second question, please read through:
https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169
and
https://learn.microsoft.com/en-us/azure/iot-hub/migrate-tls-certificate?tabs=cli#required-steps
specifically, this describes how your device may be affected.