Zero Touch Provisioning for Azure IoT Hub and Azure DPS

Prerequisite

• You have an account on Azure cloud platform.

• Access to:

1. 1. u-blox Thingstream portal and Security services API interface

   2. module AT command interface. 

If not  yet done, visit the Tools and Software page and the Getting started guide  for items 1 and 2

The following example guides you in the device certificate provisioning procedure and in Azure using Device Provisioning Service (DPS) configuration. 

Procedure overview

This section provides an overview about the required procedure. In the following Example section you will be guided step by step in the implementation.

Once you have an account on the Azure cloud platform, the below procedure can be followed in order to provision a device with necessary certificates/keys to connect to the Azure IoT Hub service by using Zero Touch Provisioning (ZTP).

The procedure is slightly different depending if the device(s) have already bootstrapped or not.

1. Setting up the Azure IoT Hub and Azure Device Provisioning System (DPS)

2. Setting up Zero Touch Provisioning on Thingstream platform using UI or API interface. This step includes the 

   • Generation of the Root CA certificate

   • Generation of the Proof-of-Possession certificate  to upload on Azure DPS

   • Enabling the ZTP feature on the device

   • Enrollment group creation on DPS

3. Setting up the device

4. Connect the device

Example

Setting up Azure IoT Hub and DPS

First of all, create a Resource Group,  by creating a new resource in the Azure Cloud Platform 

You can type in to the resource groups in the search to find the resource groups section. Click on Add and fill in the information as shown in the screen below

Setting up Zero Touch Provisioning

Now  you need to get a CA certificate from the u-blox Security Service to use for ZTP and register it into the Azure cloud platform. These operations are a prerequisite to the ZTP feature activation on the module, so they must be performed prior to it.

You can call the API at https://ssapi.services.u-blox.com/v1/ztp/rootca/create to ask for a CA certificate and pass a name for the CA certificate (used to identify it in later actions), and the validity time both for the CA certificate and the device (or client). Validity is expressed in days.

Let’s for example create a “demo-ca” CA certificate. We’ll send to the above API this content:

{

"CAName": "demo-ca",

"CACertificateValidity": 1825,

"DeviceCertificateValidity": 1825

}

And we’ll receive a response like the following:

{

"CAName": "demo-ca",

"CACertificateValidity": 1825,

"DeviceCertificateValidity": 1825,

"Certificate": "-----BEGIN CERTIFICATE<...>-----END CERTIFICATE-----",

"CreatedDate": "2020-07-03T09:07:44Z"

}

Save the CA certificate’s contents (here truncated) into a .pem  file. 

You can use also the Thingstream UI to to generate the Root CA certificate, selecting the Security Services section in the left side menù and then accessing to the ZTP Certificate Management section.  Once you have generated the Root CA certificate you can use the predisposed link to download it.

Now upload this CA certificate in the Certificates section of DPS as can be seen in the screenshot below 

Setting up the device

This step is required to enable the ZTP feature on the device. You have two options:

1. 1. If the module is not bootstrapped yet, you can configure the Device profile  by accessing Security Services > Device profile section of the portal (See additional information on getting started guide). During the configuration of the Device profile you will be asked to activate the desired features, inlcuding ZTP

   2. If the module is already bootstrapped, select the device in the Thing list section, and activate the ZTP in the Feature panel

At next synchronization of the module with the u-blox Security Service (bootstrap completion or next security heartbeat message), the certificates and keys for Azure connection will be provisioned into the device automatically. 

In order to get CA certificate, device certificate and device private key, the customer’s application running on the device can use the AT+USECDEVCERT command on the module (see next session)

Connect the device to DPS and Azure IoT Hub

Azure IoT Hub requires mutual authentication to establish a TLS connection.  Therefore the device, to verify the identity of the server, needs the Azure Certificate pre-installed; you can download it using this link.  This certificate shall be pre-installed in the production line and it is same for all the devices.

To setup the TLS session, you need to get device private key, certificate and Root CA from the module. You can use the following AT commands for that purpose:

1. Check if the device certificate has been provisioned using: AT+USECDEVCERT?

returns +USECDEVCERT: 0,0,0 if PrivateKey, DeviceCertificate and CaCertificate are present in module

2. Get CA Certificate: AT+USECDEVCERT=2

Returns the CACertificate 

3. Get Device Certificate: AT+USECDEVCERT=1

Returns the DeviceCertificate

4. Get Private Key: AT+USECDEVCERT=0

Returns the PrivateKey

Note:To avoid exposing the private key and the certificate, we suggest to use the Local Chip-to-chip Security that protects the communication between the modem and the MCU.

You can now connect to Azure IoT Hub using above certificates and start communicating by using any external client of choice e.g. Azure SDK.

You can refer to Azure website to find some tutorials on how to connect the device using MQTT or HTTPS protocols.