Azure IoT root certificate changes

I need some assistance/advice. TLS/Root Certificates/etc is not my strong area. It appears Azure IoT is changing their Root Certificate. Azure IoT TLS: Critical changes are almost here! (…and why you should care) - Microsoft Community Hub

The actions required indicate I need to add DigiCert Global root G2 to my devices. I also need to enable SHA384. Does TinyCLR support SHA384?

Based on that document is there anything else I should be worried about.

I have a lot of devices in the field that will need to be updated remotely.

Do you know if DigiCert Global Root G2 is ready for testing now or not yet?
In TinyCLR, we see the flag SHA384 enabled but not tried on 384 yet.

In your project, where is certificate loaded? from SD/USB or from resource?

I would assume it is ready. Yesterday was the first I heard about this change. I am still confused about their timing. The email says the change is happening on July 1, 2022. But the blog says they have pushed things out to 2023. So I am a bit confused.
It appears that both certs will be valid until Sept 2023.

I currently store the Cert in flash storage. I load it over-the-air using a connection through my SIM provider Hologram. Currently, I only support 1 cert in my code I will have to do OTA updates to existing devices. I can kick off the OTA through the same connection so I don’t need Azure IoT to control the update process.

There are test endpoints available with SHA256 (see that same posting) and SHA384. The cut-over is in early 2023. I haven’t tried the new certs or hash myself yet.

1 Like

Need to bring this issue up again.

The cutover to the new Cert starts Feb 15, 2023, and thru October 15, 2023.
It looks like back in May 2022 they added SHA-256 for constrained devices.

They recommend BOTH the old Baltimore CyberTrust Root and the NEW DigiCert Global G2 CA root be added to the end device. (In the above document, “Action Required” section, item #2)

Using TinyCLR MQTT I don’t see any way to add more than one certificate using MqttClientSetting(). I assume it is important to have both since I assume the transition will happen to your IoT Hub sometime between Feb 15 and Oct 15.

Any thoughts on how to handle this short of switching Certs if authentication fails?

This doesn’t solve the issue but I am putting this here for others who might need it.

This is the new DigiCert Global Root G2 with SHA256 that I successfully used to test.
Found it here: Azure TLS Certificate Changes | Microsoft Learn

I set up a test IoT Hub and set it to use the DigiCert Global G2 root so I had something to test against.

My production IoT Hub is still using the old Baltimore Cyber Trust cert. I can’t switch it until I have more info from GHI on how to proceed. (See the previous post.)

1 Like