[Technical Question] Why there is a need of intermediate certificate to provision a device through DPS group enrollments #1795
Description
I am provisioning a device through X509 certs and its strange that we need a intermediate cert to be used a signercertificate in the example given here (https://github.com/Azure/azure-iot-sdk-java/blob/main/provisioning/provisioning-device-client-samples/provisioning-X509-sample/readme.md) which mentions Obtain the certificates following instructions from [X509 Certificate Generator](https://github.com/Azure/azure-iot-sdk-java/tree/main/provisioning/provisioning-tools/provisioning-x509-cert-generator). If you are trying Group Enrollment then you will need to add signerCertificates to the Collection. You can add the signerCertificates in main() just before instantiating SecurityProviderX509Cert: signerCertificates.add("<Your Signer/intermediate Certificate Here>");
Now on the contrary I see this example also which doesn't uses the signerCertificate(Intermediate cert) and provisions a device using DPS group enrollment refer point 7 SecurityProvider securityProviderX509 = new SecurityProviderX509Cert(deviceX509Cert, deviceX509Key, null);
Now my questions are:-
-
The java sample I'm running works with intermediate certificate used as
signerCertificatesargument in hereSecurityProviderX509Cert(leafPublicCert, leafPrivateKey, signerCertificates)so my certs are correct and DPS is also correctly configured. But when I pass null insignerCertificatesthe registerDevice call timeout and registration callback is never called. Which above example mentioned is correct? And why the second example doesn't work for me. -
I have used node and c azure it sdk they don't need any intermediate certificate on a device for it to be provisioned to DPS using group enrollment. Why Java SDK needs that?
-
Also it would not a be a good solution for an Andorid app as that require the intermediatecertificate to be shipped with apk which is a security concern.