Provisioning Devices with X.509 Certificates for Azure IoT | YourCompany

Group Provisioning of Devices using X.509 Certificates for Azure IoT

Prev Question Next Question

Question

Your company is extending its operation and it has just built a new plant which is going to manufacture batteries for electric vehicles.

The plant is equipped with thousands of sensors whose data are to be transmitted to an Azure IoT Hub and then to other cloud services for further analysis.

Your task is to design the group provisioning of devices using X.509 certificates.

Enrollment for the new plant must be separated from other plants.

How would you organize the use of certificates?

Answers

A. Assign device certificates to the DPS enrollment entry

B. Assign intermediate certificate to the DPS enrollment entry

C. Use the CA certificate for the enrollment entry

D. Either B or C.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

Option A is incorrect because device (or leaf) certificates should be used on end-devices, exclusively.

The leaf certificate is the end of the chain of trust and is not used to sign further certificates.

Option B is CORRECT because it is the intermediate certificate which can be used to group devices by product lines, locations, or plants, for the given scenario.

The Intermediate certificate for the new plant will be used to sign the certificates belonging to the plant only, thus ensuring the separation from other plants.

Option C is incorrect because the CA certificate is the top-level certificate of the company.

It is used to sign the intermediate certificates and should not be used in the enrollment entries.

Option D is incorrect because only use of intermediate certificates (B) is recommended.

CA certificate © should not be used at enrollment group level.

Diagram:

$test-dps-docs | Manage enrollments * x oy Add Enrollment Group Device Provisioning Service BP Search (Ctrl+/) « ++ Add enrollment group | ++ Add individual enrollment () Refresh ® overview Group name * Activity log Ci) ‘You can add or remove individual device enrollments and/or enrollment groups from this page et ‘custom-hsm-x509-devices Access control (IAM) © Tags Enrollment Groups __ Individual Enrollments Attestation Type a GE onan) @ Diagnose and solve problems (GE symmetric Key ) & Search group enrollment by group name (name has to be exact match) ] a Settings GROUP NAME N \oT Eege device & Quick start ‘Shared access policies Certificate Type (aceriicte GEE ¢ Linked loT hubs A Certificates Primary Certificate per or cer file *azure-iot-test-only.intermediate.certpem* “A. Manage allocation policy Clear Selection > Networking Secondary Certificate per or cer file $2 properties [Selecta file Clear Selection AL Locks$

References:

To secure communication between the devices and Azure IoT Hub, X.509 certificates can be used. These certificates authenticate the devices and encrypt the data transmitted. For group provisioning of devices using X.509 certificates, Device Provisioning Service (DPS) can be used. DPS is a cloud-based service that automates the registration of devices to an Azure IoT hub and assigns X.509 certificates to the devices.

In this scenario, the new plant has thousands of sensors, and their data needs to be transmitted to an Azure IoT Hub. The enrollment of these devices needs to be separated from other plants, so a separate enrollment entry is required for the new plant. The enrollment entry is responsible for managing the authentication and authorization of the devices.

To organize the use of certificates, we need to choose the appropriate certificate to assign to the DPS enrollment entry. The options are:

A. Assign device certificates to the DPS enrollment entry: This option means that each device will have its own unique certificate. This certificate will be used to authenticate the device and encrypt the data. However, this option can be time-consuming as it requires assigning a certificate to each device.

B. Assign intermediate certificate to the DPS enrollment entry: This option involves using an intermediate certificate authority (CA) to generate certificates for the devices. The intermediate CA certificate is assigned to the DPS enrollment entry, and it is used to sign the device certificates. This option reduces the time and effort required to manage the certificates.

C. Use the CA certificate for the enrollment entry: This option involves using a root CA certificate to generate certificates for the devices. The root CA certificate is assigned to the DPS enrollment entry, and it is used to sign the device certificates. This option provides a higher level of security as it uses a trusted root CA certificate.

D. Either B or C: This option means that we can choose between using an intermediate CA certificate or a root CA certificate.

In conclusion, the best option for this scenario would be to assign an intermediate CA certificate to the DPS enrollment entry. This option balances security and convenience by providing a reliable way of generating certificates for the devices without the complexity of assigning a unique certificate to each device.

Prev Question Next Question