Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
591 questions
Iot Edge Device with iot-identity-service (1.5.4): EST renewal certification handling
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 36%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Joerg Zeidler
0
Reputation points
Hello All,
i have a question regarding the certification renewal process for an Iot Edge device with an iot-identity-service.
I have configured the services on the device side and have an up an running a EST-Server for Automatic certificate management.
The automatic renewal of the certificates works within the validity period of the certificates.
But if the validity period e.g. is 30 days and the device is offline for, for example, 40 days, it will no longer be able to request new certificates once it is online again. The identity service cannot handle expired certificates. This would mean that the device in the field would no longer be usable.
Is this handling expected?
Best regards
Joerg
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 15%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Manas Mohanty 540 Reputation points Microsoft Vendor2025-02-12T08:10:46.8466667+00:00 Hi Joerg Zeidler!
It is good to see that you have an EST-Server for Automatic certificate management.
But I would suggest you accommodate a function to check expiry data of authentication and re-new the certificates automatically. Optionally you can extend the validity period to 40 or 60 days and re-new authentication prior.
Thank you.
-
Joerg Zeidler 0 Reputation points
2025-02-12T14:29:19.3366667+00:00 Hi,
this handling is present in the used azure resource https://github.com/Azure/iot-identity-service except the UseCase if the device is offline for longer than the validity of the certification.
It all looks to me like it's a bug in this service. I will then create a ticket.
Thank you
-
Manas Mohanty 540 Reputation points Microsoft Vendor
2025-02-13T17:15:20.4466667+00:00 Yes, confirm that it won't be able to automatically renew the certificates automatically if the devices are offline beyond validity. Device can switch to a second authentication like symmetric key if they are not able to authenticate with existing certificates, while new certificates are provided to the devices.
Not sure on accommodating grace period (allowing certificate renewal beyond expiry date) in config.toml, probably It can be confirmed in Github .
Reference
https://github.com/Azure/iotedge/blob/main/edgelet/doc/est.md
Thank you.
Sign in to comment
Sign in to answer