azureazure-iot-hubazure-iot-hub-device-management

Authenticate IoT devices registered via DPS group enrollment using TPM


we would like to register our IoT devices using a DPS group enrollment based on an intermediate X509 certificate. Once the device is provisioned, we can authenticate the device at the IoT Hub using X509 attestation. So far, so good and that actually works.

However, this has the problem that the device needs the full device certificate including the private key at hand. Therefore, we would like to use TPM attestation, but I am struggling to understand how this can work. The documentation says we should update the enrollment list, but as far as I understood, this means a separate individual enrollment for each device, which we would like to avoid as well.

Is it possible to authenticate the device using TPM attestation if the public key of the device certificate matches the endorsement key, if the devices have been provisioned using a group enrollment?

Thanks


Solution

  • There is a document which shows the series of steps need to be taken to complete the group enrollment for the certificate. Need to follow the syntaxes mentioned in the document to complete the process.

    http://busbyland.com/azure-iot-device-provisioning-service-via-rest-part-1/

    DOCUMENT CREDIT: msstevebus

    To complete the device authentication using X.509 CA certificate follow the document

    The device enrollment like group enrollment is possible but not with the TPM. enter image description here

    As mentioned in the image, TPM is used for individual device enrollment.