I have an embedded device that communicates with Microsoft Azure IoT Hub using CA signed device certificate authentication. I’m acting as the CA and can create and sign device certificates. Everything is working fine in my development environment where I manually generate device key pairs and certificates and can literally paste them into my device source code.
When the product goes into production the plan is for each device to generate its own key pair, the device to export the public key for our custom back-end system to automatically generate the signed certificate which is downloaded and stored in the device. The problem I have is every example of certificate signing I’ve seen requires a public / private key pair as input into a CSR generator but for security reasons my device’s private key is never exported from the device and hence is unavailable.
How do I generate a signed device certificate when I don’t have the device’s private key?
Paresh asks the same question here For Generate CSR request but the answer involves “out of device” key pair generation.
I understand that in the I.T. world it’s no big deal generating key’s and CSRs on a server and that the private key never leaves the server but in the embedded world where the private key never exists outside of the device how do I obtain a certificate when all I have access to is the device’s public key?
I’ve read elsewhere that a CSR is actually signed using the private key as a way of proving the public key holder is in possession of the private key. This I can understand but I come back to my scenario where I do not have the device private key.
Presumably because I am CA I do not need a CSR and hence don’t need the device private key but I can’t find any way of generating a certificate from just the public key?
Sorry about the length of the post and thanks for any advice you can give me.