How to Create Module with x509 authentication with C SDK?

[FaehnrichLE]

Can a module be created when authenticating with x509 certificates?

I'm using x509 certificates to authenticate because I'll have an HSM that's used in first provisioning and creating devices.

So I can create devices with certificates, then I'm able to interact with the device twin.

I want to then create modules under a device. Is there a way to do that with x509 certificates? I see some functions for modules but they all seem to use shared access tokens. Or is there a way to get a shared access token for a device using certificates?

Thanks.

[FaehnrichLE]

I found the Identity Service which provisions devices and modules. It says it can't use x509 authentication for modules, so I wouldn't be surprised if the answer is I can't do what I want.

https://azure.github.io/iot-identity-service/develop-an-agent.html

[CIPop]

X.509 Module Authentication

@FaehnrichLE , the answer is yes: modules (with or without using Azure IoT Edge / Identity Service) can be authenticated via X.509 certificates/HSM (which is our recommended auth. mode).

Unfortunately, we have found the feature poorly documented. I am actively working with our Tech Writers to complete the documentation.

Meanwhile, please see my instructions in https://github.com/MicrosoftDocs/azure-docs/issues/111494
It would be very helpful if you could use https://github.com/MicrosoftDocs/azure-docs/issues/111494 for any questions/observations or enhancements to my proposed documentation.

Programmatic Module Creation

IoT Hub Resource Manager - IoT Hub identity is required

The C SDK's Service Client (the ResourceManager client) is currently deprecated and no longer recommended.

To create a module programmatically, please use any of the other language SDK's ResourceManager clients: https://learn.microsoft.com/en-us/azure/iot-hub/module-twins-dotnet (we also have documentation for CLI, NodeJS and Python).
A good starting point (module creation needs to be added): https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/service/samples/how%20to%20guides/RegistryManagerSample

Azure IoT Identity Service / Azure IoT Edge

Edge devices can manage module identities using the device's Edge identity (instead of a global IoT Hub policy).
For this, it's easier to use Azure Identity Services or Azure IoT Edge directly.

The APIs that these two products use are not considered "public API" for IoT Hub and may change without notice. (See below for relevant source.)

[FaehnrichLE]

I tried to comment on that issue but it says I can't comment at this time. Here's what I was going to comment:

I was able to generate a csr using openssl.

The issue I believe in your command above was there wasn't a '/' at the beginning of CN.

Here's the command that worked for me.

openssl req -new -key DEV-HW-00000001m1.key.pem -out DEV-HW-00000001m1.csr -subj "/CN=DEV-HW-00000001\/module01"

I'm currently testing to see if I can provision a module under the device with this new file.

[CIPop]

Thank you @FaehnrichLE ! I've added your solution to the docs bug.

[FaehnrichLE]

My question still remains of how to create a module under a device with a certificate.

I have the CSR file now, but don't know how to use it.

I'm using a custom HSM (mocked up right now simulating a hardware HSM) and that can use my certificate and key to successfully provision a device, but I see no where to use this csr file to provision a module under that device.

You say in the linked issue that the CN must match the module identity, it sounds like the module already exists. I'm looking to have my device be the one that creates the modules much like how it provisions itself. I don't want to have someone manually create each module by hand in Azure Iot Hub.

[CIPop]

My question still remains of how to create a module under a device with a certificate.

Sorry, I missed that part: I've added another section to the answer. Unfortunately, while C-SDK Service Client might have support for the operation, we no longer support that service client (it's in the repo, as-is and it is used by our tests). We recommend using any of the other supported language SDKs (.NET, Python, Node) or the CLI. For this operation you would need to use one of the IoT Hub identities.

While using an Edge Device Identity is possible, there is no public API. That said, since both Azure IoT Identity Service and Azure IoT Edge are OSS, this is the likely source file: https://github.com/Azure/iot-identity-service/blob/release/1.4/identity/aziot-cloud-client-async/src/hub/mod.rs#L73 performing the operation against Hub.