Migration from the Baltimore Root CA to DigiCert Global Root G2 for Microsoft Azure IOT HUB

Is HMS aware of the incoming change to Microsoft Azure IOT Hub where they will be switching from BaltimoreCA to Digicert Global Root G2? Are there any planned guides on performing the migration?

Yes, we are aware. You can add the new cert into the same file as the old one so it will switch over seamlessly.

There is more info here about adding devices to the IoT Hub: MQTT- Easy connection to Microsoft AZURE IOT Hub/ IOT Central using SAS tokens
If you follow those instructions, you should be all set for the update.

@kyle_HMS I was under the impression that we need to specify which file to use in the BASIC program: MQTT “setparam”, “cafile”,"/usr/BaltimoreCyberTrustRoot.pem"
If my new cafile is “usr/DigiCertGlobalRootG2.pem”, I don’t think this will be very seamless. What am I missing?

Tim you have already viewed the post by Simon concerning the ability to put both certs into the same file.

Just adding the link to this thread for everyone else who comes across it.


1 Like

Thanks Ted!

@tedsch2 Yeah, I’ve read Simon’s solution. I’m just not very keen on changing this for ~160 devices. Although maybe its only slightly more work to use a self-signed cert rather than the DigiCert one. I was honestly hoping for a truly seamless solution like dropping the file in the folder and the Flexy presenting whichever one worked…like a scammer trying stolen credit cards until the transaction occurs! XD

Looks like a chance for you to script and automate that process. There is already a tag or two on each of the Flexy units for the automagic update of the basic script. Could maybe expand on that to help out with the change.

Yeah. We’re testing the 2.0 version of the BASIC script this week so everything is tag driven. Mabe this will be an opportunity to update all the Flexys. Its those old Chinese blessings/curses: “May you live in interesting times”.

As for automating the new cert, we can take the VBA FTP bit from the tag generator to download the program.bas then edit and re-upload it with the new cert. Its a PowerShell one-liner (Add-AzIoTModule) to add a new Identity module which we could call that from the same VBA that does the FTPing. Simple enough, but still not excited about it.