# ============================================================================== # Hostname # ============================================================================== # # Uncomment the next line to override the default hostname of this device. # # hostname = "my-device" # ============================================================================== # Local Gateway Hostname # ============================================================================== # # If this device is running in a nested deployment, uncomment the next line to # set the local gateway hostname of this device. # # local_gateway_hostname = "my-parent-device" # ============================================================================== # Cloud Timeout and Retry Behavior # ============================================================================== # # These settings control the timeout and retries for cloud operations, such as # communication with DPS during provisioning or IoT Hub for module identity creation. # # cloud_timeout_sec is the deadline (in seconds) for a network request (such as # an HTTP request) to the aforementioned cloud services. A response from the cloud # must be received before this deadline, or the request will fail as timed out. # # cloud_retries controls how many times a request may be retried should it fail. # The client will always send at least one attempt, so its value will be the number # of retries after the first attempt should that fail (i.e. cloud_retries = 2 # means that the client will make a total of 3 attempts). # # cloud_timeout_sec has a minimum of 70s to allow hub to throttle requests. # If a request is throttled, it will enter an exponential backoff with 4 retries instead # of using the configured value. The configured value is used for all other errors. # # cloud_timeout_sec = 70 # cloud_retries = 1 # ============================================================================== # Module identity cache preference # ============================================================================== # # The default behavior is to request module identities from IoT Hub and fall back to a # cached backup if the Hub request fails. This keeps identities in sync with IoT Hub, # but results in extra requests to Hub that may not be necessary depending on use case. # # Setting prefer_module_identity_cache to true reverses the behavior so that the cached # identities are preferred to IoT Hub requests. Requests to Hub are still made if identities # are not found in the cache. # # prefer_module_identity_cache = false # ============================================================================== # Provisioning # ============================================================================== # # Uncomment one block and replace the stub values with yours. ## Manual provisioning with connection string # # [provisioning] # source = "manual" # connection_string = "HostName=example.azure-devices.net;DeviceId=my-device;SharedAccessKey=YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU=" ## Manual provisioning with symmetric key # [provisioning] # source = "manual" # iothub_hostname = "example.azure-devices.net" # device_id = "my-device" # # [provisioning.authentication] # method = "sas" # # device_id_pk = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU=" } # inline key (base64), or... # device_id_pk = { uri = "file:///var/secrets/device-id.key" } # file URI, or... # device_id_pk = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI ## Manual provisioning with X.509 certificate # [provisioning] # source = "manual" # iothub_hostname = "example.azure-devices.net" # device_id = "my-device" # # [provisioning.authentication] # method = "x509" # ## identity key # identity_pk = "file:///var/secrets/device-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI # ## identity certificate # identity_cert = "file:///var/secrets/device-id.pem" # file URI, or... # [provisioning.authentication.identity_cert] # dynamically issued via... # method = "est" # - EST # method = "local_ca" # - a local CA # common_name = "my-device" # with the given common name, or... # subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields ## DPS provisioning with symmetric key # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net/" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "symmetric_key" # registration_id = "my-device" # # symmetric_key = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGVudGl0eS1zZXJ2aWNlfGF6aW90LWlkZW50aXR5LXNlcg==" } # inline key (base64), or... # symmetric_key = { uri = "file:///var/secrets/device-id.key" } # file URI, or... # symmetric_key = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI ## DPS provisioning with X.509 certificate # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net/" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "x509" # registration_id = "my-device" # ## identity key # identity_pk = "file:///var/secrets/device-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI # ## identity certificate # identity_cert = "file:///var/secrets/device-id.pem" # file URI, or... # [provisioning.attestation.identity_cert] # dynamically issued via... # method = "est" # - EST # method = "local_ca" # - a local CA # common_name = "my-device" # with the given common name, or... # subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields # ## Uncomment the section below to enable automatic renewal of the device ID certificate. ## Auto-renewal requires a known certificate issuance method. This generally means that ## 'method' is either 'est' or 'local_ca'. ## ## IMPORTANT: ## ONLY ENABLE AUTO-RENEWAL IF THIS DEVICE IS CONFIGURED FOR CA-BASED DPS ENROLLMENT. ## USING AUTO-RENEWAL FOR AN INDIVIDUAL ENROLLMENT WILL CAUSE THE DEVICE TO BE UNABLE ## TO REPROVISION. # [provisioning.attestation.identity_cert.auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" ## DPS provisioning with TPM # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net/" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "tpm" # registration_id = "my-device" # ============================================================================== # Cert issuance # ============================================================================== # # If you configured any dynamically issued certs above, uncomment the block # corresponding to the issuance method and replace the stub values with yours. # Cert issuance via EST # --------------------- # [cert_issuance.est] # trusted_certs = [ # "file:///var/secrets/est-id-ca.pem", # ] # # [cert_issuance.est.auth] # username = "estuser" # password = "estpwd" # # # EST ID cert already on device, or... # identity_cert = "file:///var/secrets/est-id.pem" # # identity_pk = "file:///var/secrets/est-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=est-id?pin-value=1234" # PKCS#11 URI # # # EST ID cert requested via EST bootstrap ID cert # bootstrap_identity_cert = "file:///var/secrets/est-bootstrap-id.pem" # # bootstrap_identity_pk = "file:///var/secrets/est-bootstrap-id.key.pem" # file URI, or... # bootstrap_identity_pk = "pkcs11:slot-id=0;object=est-bootstrap-id?pin-value=1234" # PKCS#11 URI # ## Controls the renewal of EST identity certs. These certs are issued by the EST server after ## initial authentication with the bootstrap cert and managed by Certificates Service. # [cert_issuance.est.identity_auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" # # [cert_issuance.est.urls] # default = "https://example.org/.well-known/est" # Cert issuance via local CA # -------------------------- # [cert_issuance.local_ca] # cert = "file:///var/secrets/local-ca.pem" # # pk = "file:///var/secrets/local-ca.key.pem" # file URI, or... # pk = "pkcs11:slot-id=0;object=local-ca?pin-value=1234" # PKCS#11 URI # ============================================================================== # TPM # ============================================================================== # # If special configuration is required for the TPM when using DPS TPM # provisioning, uncomment any pertinent sections below. # [tpm] # # TCTI loader string; see "TCG TSS 2.0 TPM Command Transmission # # Interface (TCTI) API Specification" section 3.5 for an overview of # # acceptable TCTI loader strings. By default, this is "device". Setting # # this to the empty string will cause the TCTI loader library to try # # loading a predefined set of TCTI modules in order. # # Ref: https://github.com/tpm2-software/tpm2-tss/blob/3.1.1/src/tss2-tcti/tctildr-dl.c#L28-L59 # tcti = "swtpm:port=2321" # # # The TPM index at which to persist the DPS authentication key. The index is # # taken as an offset from the base address for persistent objects # # (0x81000000), and must lie in the range 0x00_00_00--0x7F_FF_FF. The default # # value is 0x00_01_00. # auth_key_index = "0x00_01_00" # # Authorization values for use of the endorsement and owner hierarchies, if # # necessary. By default, these are empty strings. # [tpm.hierarchy_authorization] # endorsement = "hello" # owner = "world" # ============================================================================== # PKCS#11 # ============================================================================== # # If you used any PKCS#11 URIs above, uncomment the next block and # replace the stub values with your PKCS#11 configuration. # [aziot_keys] # pkcs11_lib_path = "/usr/lib/libmypkcs11.so" # pkcs11_base_slot = "pkcs11:slot-id=0?pin-value=1234"