Azure IoT Hub Device x509 Self-Signed Certificate (Python MQTT)

1
votes

How to settle (Self-signed) CA certificates and Client certificates and Username/password on a Self-signed device connection?

I am working with an MQTT Python client and I want to settle up Device Self-signed certificate option. I have been able to connect with a SAS Device Settle and now I don't know what I need for it.

W.

When i worked with SAS token I had the azure Digicert CA and then on the Device key and cert set as None.

Now I am using the same azure baltimore Root certificate provided by them (Digicert) and with OPENssl i created the Client key and crt from where I toke the thumbprint is that correct?

I created them with openssl and had .crt and .key so i passed them into .pem.

So could it be because of the format of the client keys or what should I give as certificates?

As the password and username what I have as password should be None now or maybe the thumbprint, since i have no SAS token key.So what should I fit in there? 

from paho.mqtt import client as mqtt
import ssl
import time

Data = {"Temp":44,"Pressure":55,"Power":66}
path_to_root_cert = "C:/Users/../digicert.cer"
device_cert = "C:/Users//../m2mqtt_ca.cer"
device_key = "C:/Users//../m2mqtt_ca.key"

device_id = "x509Device"
sas_token = "SharedAccessSignature sr=...."

SAS Created with Device explorer twin

iot_hub_name = "Iothubdev"

def on_connect(client, userdata, flags, rc):
    if rc==0:
        client.connecte_flag = True
        print ("Connected OK \n Device connected with result code: " + str(rc))
    else:
        print("Bad connection returned code=", str(rc))
        client.bad_connection_flag = True
        logging.info("Disconnecting reason:" + str(rc))

def on_disconnect(client, userdata, rc):
  print ("Device disconnected with result code: " + str(rc))

def on_publish(client, userdata, mid):
  print ("Device sent message")

client = mqtt.Client(client_id=device_id, protocol=mqtt.MQTTv311)

client.on_connect = on_connect
client.on_disconnect = on_disconnect
client.on_publish = on_publish

client.username_pw_set(username=iot_hub_name+".azure-devices.net/" + device_id, password=None)

client.tls_set(ca_certs=path_to_root_cert, certfile=device_cert, keyfile=device_key, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
client.tls_insecure_set(False)

try:
    client.connect(iot_hub_name+".azure-devices.net", port=8883) #Connect to Broker
except:
    print("Connection Failed")

#client.connect(iot_hub_name+".azure-devices.net", port=8883) #Connect to Broker

client.publish("devices/" + device_id + "/messages/events/", str(Data), qos=1)
client.loop_forever()
#time.sleep(2)
#client.disconnect()

> Azure IoT Hub Certificate in here says use Baltimore certificate as CA

Client crt

Client key

But is not working for me right now

1
pythonazuresslmqttazure-iot-hub
Please check the host name of you IoT Hub. I think it shoud be *.azure-devices.net. You can try to use X.509 CA Signed device to test this issue.Michael Xu - MSFT
Oops, hahah Actually I changed it because i thought it was specially from my azure acc which i wouldnt like to share XD @Michael Xu -MSFTMarcoPolo11
I can reproduce this issue with Self-Signed device too. I'm not sure if Self-Signed device supports MQTT communication directly at this moment.Have you tried to test this issue with X.509 CA signed device? I would works. @MarcoPolo11Michael Xu - MSFT

1 Answers

0
votes

I have tried with CA certificatre Device where i settle the certificate first on the iot hub and verify it with the client and either way it doesn't work.

I didn't use Powershell so I can't tell... I used openssl

Used openssl in order to create the CA certificate and then with a client certificate with a CN of the verification generated code I verified the Certificate.

enter image description here

enter image description here

And now about the codeHow do I settle the certificates and which format since in powershell talk about chained key and everything but it doesn't specify what it demands.

Should it be: Azure Baltimore certificate first?? CA certificate CA key

or CA Certificate Client certificate verificated CN Client key

(And with which extension??)

path_to_root_cert = "C:/Users/../digicert.cer"
device_cert = "C:/Users//../m2mqtt_ca.cer"
device_key = "C:/Users//../m2mqtt_ca.key"

client.tls_set(ca_certs=path_to_root_cert, certfile=device_cert, keyfile=device_key, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)

@Michael Xu - MSFT