Hi Traiz, you should have received an email, or you would have seen a banner in your central dashboard. Basically, you need to prepare your devices by adding the DigiCert Global G2 root at the minimum. I would also add the Microsoft RSA 2017 CA root as well to be sufficiently future proofed.
Hi Ramit, but what about devices what are connecting via "Microsoft.Azure.Devices.Client" DeviceClient by using SAS? Do I need to do something on the devices? For my understand, I do not need to do something on the devices self. There are no certificates right now on the device (Raspberry Pi). I'm realy confused and unsure :-(
@@DavidStania Hi David, the server certificate chain is changing, this change has nothing to do with how the service authenticates a device - rather it's how a device validates the server certificate. Currently all devices trust the IoT Hub and DPS endpoints because they are chained to the Baltimore root and the Baltimore root is present in all devices. The change we are making is that the server will start sending out certificates issued by a new chain (rooted to DigiCert Global G2), and this new root must be added to the device to ensure that devices are able to continue validating the server and connecting using TLS.
@@Deekudla Hi Deepak, what I mean is that in the absence of any root update mechanism, the best way for a device to circumvent this problem is having multiple roots installed. In the case of Microsoft, this is Global G2 and the MSFT RSA 2017 CA for RSA. PKIs can change and roots can get compromised (albeit a rare event) at any time, so it's best to build in some way to recover automatically..
Hi Bob, AWS and all cloud providers will likely suffer from similar issues. Public PKI chains use X.509 certificates and those have expirations without exception. Devices should have some degree of cryptoagility to update themselves if they are connecting on the public internet. Smartphones, PCs, and traditional computing devices usually have this handled by the OS, but in the case of embedded and IoT, if an update mechanism isn't already built in, not even AWS can help :)
@@bobparker6922 the new root is valid until 2038, but we ask device builders to put in 2 roots - G2 and Microsoft RSA 2017 as a backup. In general, it is highly recommended to implement some sort of crypto agility in devices - public PKIs are subject to a host of compliance regulations and of course can be compromised anytime. Having a root update mechanism (or trust bundle update mechanism) that doesn't rely on TLS is one way to go. If that's not possible for whatever reason, at the minimum devices should have 2-3 roots depending on who they're talking to and on the cloud side, cloud producers should support multiple roots as well. For now, G2 will remain, but there's no saying what might trigger another migration.
@@RamitMalhotra One more question Ramit, do you think remote change of the device certificates as well is necessary? I get the Root certificate but I think the device certs should never be changed. Thanks
If using IOT Central. What specifically needs to be done? It's very unclear in this video and the microsoft website.
Hi Traiz, you should have received an email, or you would have seen a banner in your central dashboard. Basically, you need to prepare your devices by adding the DigiCert Global G2 root at the minimum. I would also add the Microsoft RSA 2017 CA root as well to be sufficiently future proofed.
Hi Ramit,
but what about devices what are connecting via "Microsoft.Azure.Devices.Client" DeviceClient by using SAS? Do I need to do something on the devices?
For my understand, I do not need to do something on the devices self. There are no certificates right now on the device (Raspberry Pi). I'm realy confused and unsure :-(
@@DavidStania Hi David, the server certificate chain is changing, this change has nothing to do with how the service authenticates a device - rather it's how a device validates the server certificate. Currently all devices trust the IoT Hub and DPS endpoints because they are chained to the Baltimore root and the Baltimore root is present in all devices. The change we are making is that the server will start sending out certificates issued by a new chain (rooted to DigiCert Global G2), and this new root must be added to the device to ensure that devices are able to continue validating the server and connecting using TLS.
Hi, what do you exactly mean by "future proofed" ?
@@Deekudla Hi Deepak, what I mean is that in the absence of any root update mechanism, the best way for a device to circumvent this problem is having multiple roots installed. In the case of Microsoft, this is Global G2 and the MSFT RSA 2017 CA for RSA. PKIs can change and roots can get compromised (albeit a rare event) at any time, so it's best to build in some way to recover automatically..
How long can I use Baltimore certificate ? (revert etc.) -- 2025 ?
There is also another great fix to this, it's called AWS
Hi Bob, AWS and all cloud providers will likely suffer from similar issues. Public PKI chains use X.509 certificates and those have expirations without exception. Devices should have some degree of cryptoagility to update themselves if they are connecting on the public internet. Smartphones, PCs, and traditional computing devices usually have this handled by the OS, but in the case of embedded and IoT, if an update mechanism isn't already built in, not even AWS can help :)
@@RamitMalhotra Gotcha, thanks
@@RamitMalhotra Is there a set schedule for the certificate change in the future? I mean, when will the root change again?
@@bobparker6922 the new root is valid until 2038, but we ask device builders to put in 2 roots - G2 and Microsoft RSA 2017 as a backup.
In general, it is highly recommended to implement some sort of crypto agility in devices - public PKIs are subject to a host of compliance regulations and of course can be compromised anytime. Having a root update mechanism (or trust bundle update mechanism) that doesn't rely on TLS is one way to go. If that's not possible for whatever reason, at the minimum devices should have 2-3 roots depending on who they're talking to and on the cloud side, cloud producers should support multiple roots as well.
For now, G2 will remain, but there's no saying what might trigger another migration.
@@RamitMalhotra One more question Ramit, do you think remote change of the device certificates as well is necessary? I get the Root certificate but I think the device certs should never be changed. Thanks