0
votes

I am doing a hands on IoT Hub, so everything is only my local desktop. In production, I was curious to know where each of the certificates would be placed i.e on Device or IoT Hub or somewhere else :

Root Certificate - Uploaded on Azure Portal Verified Certificate - Uploaded on Azure Portal PFX File - On Device Intermediate Certificates (Chain of Trust) - ??? Root Certificate PEM File - ???

Sorry for this insane question. But I want to know the same. Thanks in advance.

1
In addition to @Todd points out, in production, HSM is the most secure form of storing secret for both x509 certificate and SAS tokens.Rita Han

1 Answers

0
votes

On the device the certificate can be anywhere that makes sense, but the certificate store is probably the best option. You don't need to store the root certificate anywhere though. The IoT Hub service only checks that the thumbprint is valid, but doesn't do any chain validation. The place to do that is in whatever process you're using to register the devices.

That's all different if you're using IoT Hub Provisioning Service though, as that will do chain validation, and the device cert must reside on a TPM.