Zero Touch Provisioning for Azure IoT Hub and Azure DPS

Prerequisite

If not  yet done, visit the Tools and Software page and the Getting started guide  for items 1 and 2

The following example guides you in the device certificate provisioning procedure and in Azure using Device Provisioning Service (DPS) configuration. 

Procedure overview

This section provides an overview about the required procedure. In the following Example section you will be guided step by step in the implementation.

Once you have an account on the Azure cloud platform, the below procedure can be followed in order to provision a device with necessary certificates/keys to connect to the Azure IoT Hub service by using Zero Touch Provisioning (ZTP).

The procedure is slightly different depending if the device(s) have already bootstrapped or not.

Example

Setting up Azure IoT Hub and DPS

First of all, create a Resource Group,  by creating a new resource in the Azure Cloud Platform 

You can type in to the resource groups in the search to find the resource groups section. Click on Add and fill in the information as shown in the screen below

Now create an Azure IoT Hub resource by creating a new resource in the Azure cloud platform.

You can type in IoT Hub in the search to find the IoT Hub section. Click on Add in the IoT Hub section and fill in the information as shown in the screen below

In the Resource group field please select the Resource group we have created in the previous step.

Now create an Azure Device Provisioning Service  by creating a new resource in the Azure cloud platform.

You can type in Device Provisioning Services in the search to find the DPS section. Click on Add in the DPS section and fill in the information as shown in the screen below

In the Resource group field please select the Resource group we have created in the first step.

Once you have created the DPS successfully, Next step is to link it with the IoT Hub created earlier. See screenshot below:

Setting up Zero Touch Provisioning

Now  you need to get a CA certificate from the u-blox Security Service to use for ZTP and register it into the Azure cloud platform. These operations are a prerequisite to the ZTP feature activation on the module, so they must be performed prior to it.

You can call the API at https://ssapi.services.u-blox.com/v1/ztp/rootca/create to ask for a CA certificate and pass a name for the CA certificate (used to identify it in later actions), and the validity time both for the CA certificate and the device (or client). Validity is expressed in days.

Let’s for example create a “demo-ca” CA certificate. We’ll send to the above API this content:

{

"CAName": "demo-ca",

"CACertificateValidity": 1825,

"DeviceCertificateValidity": 1825

}

And we’ll receive a response like the following:

{

"CAName": "demo-ca",

"CACertificateValidity": 1825,

"DeviceCertificateValidity": 1825,

"Certificate": "-----BEGIN CERTIFICATE<...>-----END CERTIFICATE-----",

"CreatedDate": "2020-07-03T09:07:44Z"

}

 

Save the CA certificate’s contents (here truncated) into a .pem  file

You can use also the Thingstream UI to to generate the Root CA certificate, selecting the Security Services section in the left side menù and then accessing to the ZTP Certificate Management section.  Once you have generated the Root CA certificate you can use the predisposed link to download it.

Now upload this CA certificate in the Certificates section of DPS as can be seen in the screenshot below 


Once the certificate is successfully uploaded. The certificate will be shown in the unverified state. Now click on the unverified certificate name and generate a verification code as shown in the screenshot below:

Click on the Generate Verification Code in the above screenshot to get the verification code. Copy this verification code as it is needed to generate Proof of Possession Certificate.

Next step is to create a Proof-of-Possession verification certificate from the u-blox Security Service:

{

"CAName": "demo-ca ",

"RegisterationCode": "BE16C<...>7280"

}

And we’ll get a response like the following:

{

"CAName": "demo-ca",

 "PoPCertificate": "-----BEGIN CERTIFICATE-----<...>-----END CERTIFICATE-----"

}

Save the PoP verification certificate contents (here truncated) into a pop.cer file.

If using the UI,  select the CA certificate from the list, click on Generate PoP certificate link, insert the verification code and download the generated certificate.

NOTE: If the response of the PoP verification response contains the '\n'. Remove these '\n' from the response and then save it into the file.

Upload the proof of possession certificate in Azure UI as shown in the above screenshot. Click Verify to complete the certificate upload process.

Next step is to create an Enrollment Group in DPS. For this, click Managed Enrollments on the left menu. In the enrollment section click on Add enrollment group and then fill the information as shown in screenshot below 

In the Attestation Type click on Certificate. IoT Edge device should be False. Certificate Type should be CA Certificate. Select the uploaded CA in the Primary and Secondary Certificate field.  Click on Save to save the enrollment group.

Setting up the device

This step is required to enable the ZTP feature on the device. You have two options:

At next synchronization of the module with the u-blox Security Service (bootstrap completion or next security heartbeat message), the certificates and keys for Azure connection will be provisioned into the device automatically. 

In order to get CA certificate, device certificate and device private key, the customer’s application running on the device can use the AT+USECDEVCERT command on the module (see next session)

Connect the device to DPS and Azure IoT Hub

Azure IoT Hub requires mutual authentication to establish a TLS connection.  Therefore the device, to verify the identity of the server, needs the Azure Certificate pre-installed; you can download it using this link.  This certificate shall be pre-installed in the production line and it is same for all the devices.

To setup the TLS session, you need to get device private key, certificate and Root CA from the module. You can use the following AT commands for that purpose:

returns +USECDEVCERT: 0,0,0 if PrivateKey, DeviceCertificate and CaCertificate are present in module

Returns the CACertificate 

Returns the DeviceCertificate

Returns the PrivateKey

Note:To avoid exposing the private key and the certificate, we suggest to use the Local Chip-to-chip Security that protects the communication between the modem and the MCU.

You can now connect to Azure IoT Hub using above certificates and start communicating by using any external client of choice e.g. Azure SDK.

You can refer to Azure website to find some tutorials on how to connect the device using MQTT or HTTPS protocols.