案例-設備通過X509證書經DPS驗證後註冊到IoT Hub並開始通信
本案例步驟:
注意,前兩個步驟已經在之前的章節中介紹過,本文從第3個步驟開始介紹。
1. 通過openssl和微軟示例Powershell腳本生成CA Root證書;
2. 將CA Root證書上傳到DPS服務並完成所有權驗證;
3. 通過openssl和微軟示例Powershll腳本生成 設備證書;
4. 模擬程序(C#)使用設備證書 向DPS進行身份驗證並註冊到IoT Hub中;
5. 模擬程序使用設備證書直接向IoT Hub 發送遙測消息。
其中第4/5步驟的邏輯圖如下:
視頻講解:
您可以在B站觀看視頻講解:https://www.bilibili.com/video/av93099113/
圖文講解:
3. 通過openssl和微軟示例Powershll腳本生成 設備證書;
執行如下命令,生成設備證書,其中mydevice001 表示證書名稱,也就是最終註冊到IoT Hub中的設備ID:
New-CACertsDevice mydevice001
需要輸入證書密碼,此密碼由用戶定義,這裏我們輸入了 12345678
按照提示再次輸入密碼,即可如下圖生成證書,我們在設備中使用的是 mydevice001.pfx 證書文件。
4. 模擬程序(C#)使用設備證書 向DPS進行身份驗證並註冊到IoT Hub中;
將證書拷貝到示例代碼中,該實例代碼我們在第三講《Azure IoT 中級(3)-(案例1)使用DPS通過對稱密鑰進行單個設備註冊》中使用過
下載地址:https://codeload.github.com/Azure-Samples/azure-iot-samples-csharp/zip/master
本節使用的是 azure-iot-samples-csharp-master\provisioning\Samples\device\X509Sample 項目
代碼中需要修改的地方:
”GlobalDeviceEndpoint“ 改成"global.azure-devices-provisioning.cn"
"s_certificateFileName"改成證書的名稱,此處爲”mydevice001.pfx“
”s_idScope“改成實際的DPS的 id scope。
using Microsoft.Azure.Devices.Provisioning.Client; using Microsoft.Azure.Devices.Provisioning.Client.Transport; using Microsoft.Azure.Devices.Shared; using System; using System.IO; using System.Security.Cryptography.X509Certificates; using System.Text; namespace Microsoft.Azure.Devices.Provisioning.Client.Samples { public static class Program { // The Provisioning Hub IDScope. // For this sample either: // - pass this value as a command-prompt argument // - set the DPS_IDSCOPE environment variable // - create a launchSettings.json (see launchSettings.json.template) containing the variable // private static string s_idScope = Environment.GetEnvironmentVariable(""); private static string s_idScope = "0cn0000DC5D"; // In your Device Provisioning Service please go to "Manage enrollments" and select "Individual Enrollments". // Select "Add individual enrollment" then fill in the following: // Mechanism: X.509 // Certificate: // You can generate a self-signed certificate by running the GenerateTestCertificate.ps1 powershell script. // Select the public key 'certificate.cer' file. ('certificate.pfx' contains the private key and is password protected.) // For production code, it is advised that you install the certificate in the CurrentUser (My) store. // DeviceID: iothubx509device1 // X.509 certificates may also be used for enrollment groups. // In your Device Provisioning Service please go to "Manage enrollments" and select "Enrollment Groups". // Select "Add enrollment group" then fill in the following: // Group name: <your group name> // Attestation Type: Certificate // Certificate Type: // choose CA certificate then link primary and secondary certificates // OR choose Intermediate certificate and upload primary and secondary certificate files // You may also change other enrollemtn group parameters according to your needs private const string GlobalDeviceEndpoint = "global.azure-devices-provisioning.cn"; private static string s_certificateFileName = "mydevice001.pfx"; public static int Main(string[] args) { if (string.IsNullOrWhiteSpace(s_idScope) && (args.Length > 0)) { s_idScope = args[0]; } if (string.IsNullOrWhiteSpace(s_idScope)) { Console.WriteLine("ProvisioningDeviceClientX509 <IDScope>"); return 1; } X509Certificate2 certificate = LoadProvisioningCertificate(); using (var security = new SecurityProviderX509Certificate(certificate)) // Select one of the available transports: // To optimize for size, reference only the protocols used by your application. using (var transport = new ProvisioningTransportHandlerAmqp(TransportFallbackType.TcpOnly)) // using (var transport = new ProvisioningTransportHandlerHttp()) // using (var transport = new ProvisioningTransportHandlerMqtt(TransportFallbackType.TcpOnly)) // using (var transport = new ProvisioningTransportHandlerMqtt(TransportFallbackType.WebSocketOnly)) { ProvisioningDeviceClient provClient = ProvisioningDeviceClient.Create(GlobalDeviceEndpoint, s_idScope, security, transport); var sample = new ProvisioningDeviceClientSample(provClient, security); sample.RunSampleAsync().GetAwaiter().GetResult(); } return 0; } private static X509Certificate2 LoadProvisioningCertificate() { string certificatePassword = ReadCertificatePassword(); var certificateCollection = new X509Certificate2Collection(); certificateCollection.Import(s_certificateFileName, certificatePassword, X509KeyStorageFlags.UserKeySet); X509Certificate2 certificate = null; foreach (X509Certificate2 element in certificateCollection) { Console.WriteLine($"Found certificate: {element?.Thumbprint} {element?.Subject}; PrivateKey: {element?.HasPrivateKey}"); if (certificate == null && element.HasPrivateKey) { certificate = element; } else { element.Dispose(); } } if (certificate == null) { throw new FileNotFoundException($"{s_certificateFileName} did not contain any certificate with a private key."); } else { Console.WriteLine($"Using certificate {certificate.Thumbprint} {certificate.Subject}"); } return certificate; } private static string ReadCertificatePassword() { var password = new StringBuilder(); Console.WriteLine($"Enter the PFX password for {s_certificateFileName}:"); while(true) { ConsoleKeyInfo key = Console.ReadKey(true); if (key.Key == ConsoleKey.Backspace) { if (password.Length > 0) { password.Remove(password.Length - 1, 1); Console.Write("\b \b"); } } else if (key.Key == ConsoleKey.Enter) { Console.WriteLine(); break; } else { Console.Write('*'); password.Append(key.KeyChar); } } return password.ToString(); } } }
執行代碼前,在DPS中添加組註冊,選擇證書方式,並從下拉列表裏選擇上一節內容配置到DPS中的證書:
執行代碼:
輸入證書密碼,程序返回DPS將設備註冊到的IoT Hub的名稱和設備ID
此時,便完成了設備通過X509證書通過DPS註冊到IoT Hub的步驟,可以在Portal-DPS中檢查到如下結果:
同時,可以在IoT Hub中看到如下設備,驗證方式是SelfSigned:
5. 模擬程序使用設備證書直接向IoT Hub 發送遙測消息
本步驟參考如下文檔:
示例代碼如下:
需要修改的地方有:
44行mydevice001.pfx, 和 12345678,替換成你的證書路徑和 證書密碼;
45行mydevice001換成你的deviceid
46行iot hub 換成第四步中,DPS返回的IoT Hub
using System; using Microsoft.Azure.Devices.Client; using Microsoft.Azure.Devices.Shared; using System.Security.Cryptography.X509Certificates; using System.Threading.Tasks; using System.Text; namespace x509device { class Program { private static int MESSAGE_COUNT = 5; private const int TEMPERATURE_THRESHOLD = 30; private static String deviceId = "mydevice001"; private static float temperature; private static float humidity; private static Random rnd = new Random(); static async Task SendEvent(DeviceClient deviceClient) { string dataBuffer; Console.WriteLine("Device sending {0} messages to IoTHub...\n", MESSAGE_COUNT); for (int count = 0; count < MESSAGE_COUNT; count++) { temperature = rnd.Next(20, 35); humidity = rnd.Next(60, 80); dataBuffer = string.Format("{{\"deviceId\":\"{0}\",\"messageId\":{1},\"temperature\":{2},\"humidity\":{3}}}", deviceId, count, temperature, humidity); Message eventMessage = new Message(Encoding.UTF8.GetBytes(dataBuffer)); eventMessage.Properties.Add("temperatureAlert", (temperature > TEMPERATURE_THRESHOLD) ? "true" : "false"); Console.WriteLine("\t{0}> Sending message: {1}, Data: [{2}]", DateTime.Now.ToLocalTime(), count, dataBuffer); await deviceClient.SendEventAsync(eventMessage); } } static void Main(string[] args) { try { var cert = new X509Certificate2("mydevice001.pfx", "12345678"); var auth = new DeviceAuthenticationWithX509Certificate("mydevice001", cert); var deviceClient = DeviceClient.Create("seanyuiothub.azure-devices.cn", auth, TransportType.Amqp_Tcp_Only); if (deviceClient == null) { Console.WriteLine("Failed to create DeviceClient!"); } else { Console.WriteLine("Successfully created DeviceClient!"); SendEvent(deviceClient).Wait(); } Console.WriteLine("Exiting...\n"); } catch (Exception ex) { Console.WriteLine("Error in sample: {0}", ex.Message); } } } }
運行程序,看到如下發送遙測結果成功:
本系列其他文章:
- (視頻)Azure IoT 中級(1)-Device Provisioning Service(DPS)概覽
- (視頻)Azure IoT 中級(2)-理解DPS組註冊和單獨註冊
- (視頻)Azure IoT 中級(3)-(案例1)使用DPS通過對稱密鑰進行單個設備註冊
- (視頻)Azure IoT 中級(4)-(案例2)使用DPS通過對稱密鑰進行設備組註冊
- (視頻)Azure IoT 中級(5)- 在 DPS/IoT Hub中使用X509證書的準備工作(1)瞭解證書鏈
- (視頻)Azure IoT 中級(6)- 在 DPS/IoT Hub中使用X509證書的準備工作(2)創建自簽名證書並驗證所有權
- (視頻)Azure IoT 中級(7)- (案例3)設備通過X509證書經DPS驗證後註冊到IoT Hub並開始通信