401002 CA certificate not found - SDK - Microsoft.Azure.Devices.Provisioning.Client

[BhupalPatil]

OS - Windows 10
.net Environment - .net core 2.1
SDK - Microsoft.Azure.Devices.Client - 1.21.0
Microsoft.Azure.Devices.Provisioning.Client - 1.4.0
Microsoft.Azure.Devices.Provisioning.Transport.Mqtt - 1.1.8

Description of the issue:
trying to setup multiple simulated devices (.net core console app) under azure device prov. service and connect to iot hub.

1. Accordingly I created a root certificate and uploaded to DPS and successfully completed the verification process.
2. Then created multiple intermediate certificate and then Device certificate driven from intermediate certificate ( Root Cert >>> Intermediate Cert >>> Device Cert)
3. Root certificate is added on DPS as Primary certificate and verification is successful as well. IOT hub is linked to IOT Hub ok.
4. with the device certificate I'm trying to connect to DPS and register the device on IOT hub
5. I'm using sample from >> azure-iot-samples-csharp-master code base (X509Sample project)

in above flow I end up with below errror:
Microsoft.Azure.Devices.Provisioning.Client.ProvisioningTransportException
HResult=0x80131500
Message={"errorCode":401002,"trackingId":"408d5ad7-aa7c-45a1-b19a-e4af41ccf54b","message":"CA certificate not found.","timestampUtc":"2019-08-23T09:17:53.762099Z"}
Source=
StackTrace:

When I skip intermediate certificate that is directly create Device certificate from Root certificate I'm able to register the device successfully.

wondering whats wrong in case of intermediate certificate? Do I need to upload intermediate certificate as well? then where is it somewhere under DPS or in code? any sample for this scenario?

Let me know if I can provide more details.

[timtay-microsoft]

This may be a duplicate of issue #1010

I recommend reading the full thread, but the recommendation that came of it was

You could chose one of the following two options :

Upload intermediate only and do Proof of possession on that
or
Include intermediate in tls handshake
Any of the above two options can be valid options.

[BhupalPatil]

@timtay-microsoft, I would like try both option and confirm, I think first one should work as similar approach working currently that is with Root Certificate and leaf certificate.

Second option I'm not clear, is that in C# code we need to include before device registration happens? in C# (ref X509Sample.csproj) we always provide the leaf certificate with its password, not sure how the intermediate will chain up. Or somewhere in Azure DPS certificate upload settings?

[BhupalPatil]

Hi there, on top of above issue, do you have any pointers for below requirement? let me know if I shall create separate thread.

I managed to register device (x509 certificate authentication) via DPS and able to send message and upload files.

What I'm trying to achieve is once device is registered successfully next time I want to verify device is already there so I want to skip RegisterAsync step and directly send the JSON message/upload files to IOT hub. any reference for this?

skip below step as it is already registered.
Console.Write("ProvisioningClient RegisterAsync . . . ");
DeviceRegistrationResult result = await _provClient.RegisterAsync().ConfigureAwait(false);

Do below with connecting to DPS and upload json message/file...
await iotClient.SendEventAsync(new Message(Encoding.UTF8.GetBytes("test message"))).ConfigureAwait(false);

[CIPop]

once device is registered successfully next time I want to verify device is already there so I want to skip RegisterAsync

@BhupalPatil you've already created a different issue and I've answered there.

When I skip intermediate certificate that is directly create Device certificate from Root certificate I'm able to register the device successfully.

PKI requires either the service to have the intermediate certificates installed to form the chain and verify or the client to send them over the wire.
You can't do the first one because our service doesn't support uploading anything but the top-level cert (which, can be the intermediate).
You must do the second part (sending the Intermediates over the wire) and that is achieved by installing the public portions in the "Intermediate Certificates" .NET Store. In Windows that can be done using certmgr.msc. In Linux/Mac you need to write a small .NET app to import the chain: https://gist.github.com/CIPop/baf530337cc6b29e3d6a88047661f69c Note that my GIST requires a p7b (PKCS7 file format) containing the entire chain minus the root. You can rewrite to accept .cer files. (AFAIK, .NET doesn't work with pem files so you'll need to use openssl to convert them.)

[az-iot-builder-01]

@BhupalPatil, @CIPop, thank you for your contribution to our open-sourced project! Please help us improve by filling out this 2-minute customer satisfaction survey