3

I am not able to create Devices on IOT hub in node.js. I have replaced provisioning host with the Global Device Endpoint, idScope with the ID Scope of my DPS. I am using group enrollment with x.509 certificates, so i am using certificate's subject name as a value for registrationId.I have also linked my IoT hub to Device Provisioning Service.

var provisioningHost = "global.azure-devices-provisioning.net"; 
var idScope = "6n*******3"; //Replace id scope with the ID Scope
var **registrationId** = "Azure IoT CA TestOnly Root CA"; 
var deviceCert = {
  cert: fs.readFileSync("./IOTProj_cert.pem").toString(), 
  key: fs.readFileSync("./IOTProj_key.pem").toString()
};

I am executing azure-iot-sdk-node/provisioning/device/samples/register_x509.js file but getting below error:

PS D:\TestNode\azure-iot-sdk-node-master\provisioning\device\samples> node .\register_x509.js
_tls_common.js:149

Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch at Object.createSecureContext (_tls_common.js:149:17) at Object.connect (_tls_wrap.js:1582:48) at Object.buildBuilder (D:\TestNode\azure-iot-sdk-node-master\provisioning\device\samples\node_modules\mqtt\lib\connect\tls.js:17:20) at MqttClient.wrapper [as streamBuilder] (D:\TestNode\azure-iot-sdk-node-master\provisioning\device\samples\node_modules\mqtt\lib\connect\index.js:153:36) at MqttClient._setupStream (D:\TestNode\azure-iot-sdk-node-master\provisioning\device\samples\node_modules\mqtt\lib\client.js:298:22)
library: 'x509 certificate routines', function: 'X509_check_private_key', reason: 'key values mismatch', code: 'ERR_OSSL_X509_KEY_VALUES_MISMATCH' }

I am following below links

Creating test certificates: Managing test CA certificates for samples and tutorials

create-simulated-device-x509-nodeJS#Simulate the device

IoT Hub Device Provisioning Service device concepts#Registration ID

Samples for the Azure IoT Device Provisioning Device SDK for Node.js

EDIT- I want to use group enrollment .

pratiksha ganage
  • 41
  • 5

1 Answers1

1

From the code above, it looks like you are using ""Azure IoT CA TestOnly Root CA" as the registrationId? the registrationId should be the cn/subject of the device certificate itself (whatever you passed into './certGen.sh create_device_certificate' command), not the root certificate CA. What kind of certificate is "IOTProj_cert.pem"? is that the device's certificate? or the root CA certificate?

Steve Busby - MSFT
  • 283
  • 1
  • 8
  • I am following (https://learn.microsoft.com/en-us/azure/iot-dps/quick-create-simulated-device-x509-node). I have created leaf X.509 certificate (IOTProj_cert.pem and IOTProj_key.pem). As per the (https://learn.microsoft.com/en-us/azure/iot-dps/concepts-device#registration-id) I have taken registrationID as the subject name of the certificate. I am not sure what should be registrationID for my case. I am using x.509 certificate and i have done group enrollment. – pratiksha ganage Sep 01 '20 at 12:34
  • Is the code above the actual code you are using? specifically, are you using this for your registration ID? var **registrationId** = "Azure IoT CA TestOnly Root CA"; That isn't right.... when you ran this command: node create_test_cert.js device {certificate-name} what did you pass in for {certificate-name}? that's what you should be using for your registrationId.. If you passed "Azure IoT CA TestOnly Root CA", that is not a valid name(no spaces, etc). can you run this command and paste the output(from the folder w/ ur certs)? openssl x509 -in ./IOTProj_cert.pem -text – Steve Busby - MSFT Sep 01 '20 at 14:58
  • after executing **node create_test_cert.js device TestAirtube** creating certificate with common name=TestAirtube and 3 files named testAirtube_cert.pem., testAirtube_key.pem.and testAirtube_fullchain.pem.have created. so I am using var registrationId = **"TestAirtube"**; var deviceCert = { cert: fs.readFileSync(**"./TestAirtube_cert.pem"**).toString(), key: fs.readFileSync(**"./TestAirtube_key.pem"**).toString() }; But command **node .\register_x509.js** Its not giving any Output. – pratiksha ganage Sep 02 '20 at 06:33
  • not sure why the script isn't giving any output.. for the ./TestAirtube_cert.pem can you install use the full chain version ./testAirtube_fullchain.pem? I think you need the full chain cert for this – Steve Busby - MSFT Sep 03 '20 at 17:23
  • I tried using **cert: fs.readFileSync("./TestAirtube_fullchain.pem").toString()** also stilll same issue. Code is not giving me any output. – pratiksha ganage Sep 04 '20 at 05:42
  • If I use individual enrollment I can now get Device created at IOT hub .. But I want to use Group enrollment as I wanted to add 1000's of devices. – pratiksha ganage Sep 04 '20 at 10:07
  • when you use a group enrollment, you still get no output from the script? if so, which cert did you upload and verify in DPS for the group enrollment? – Steve Busby - MSFT Sep 08 '20 at 15:28
  • I used RootCA certificate and also verify it . and for creating pem key and certificate I have taken as **node create_test_cert.js device {{my Root Cert name here}}** – pratiksha ganage Sep 09 '20 at 06:29
  • the 'device' cert (created with create_test_cert.js device {cert name}) should be the same as your registrationId, not the name of your root cert – Steve Busby - MSFT Sep 09 '20 at 15:19
  • But As i am using group enrollment , I cant find registartion ID here. Only I can see group Id.. – pratiksha ganage Sep 11 '20 at 10:36
  • you specify the registration id in your code (it's not in the portal). the reg id you specify in your code should match the common name you used in your device certificate – Steve Busby - MSFT Sep 13 '20 at 22:14