Adding new CA trusted certificates (#1765)

Adding new CA certificates and updating the documentation to create a store when testing in Windows or OSX.

sdk/samples/iot/README.md

@@ -329,14 +329,29 @@ Set the following environment variables for all samples:
       $env:VCPKG_ROOT='<FULL PATH to vcpkg>'
       ```
 
-  2. Set the trust pem filepath. **Only for Windows or if required by OS.**
+  2. Set the trust pem filepath. **Only when testing on Windows.**
 
-      Download [BaltimoreCyberTrustRoot.crt.pem](https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem) to `<FULL PATH TO azure-sdk-for-c>\sdk\samples\iot\`. Confirm the downloaded certificate uses the correct file name and file extension.
+      _Important:_ We recommend using a managed trusted store for production deployments. Paho/OpenSSL on Windows is meant for testing purposes only.
+            
+      Create a PEM certificate file based store by concatenating the following files:
+      
+      * RSA Certificate Authority Roots:
 
-      Windows (PowerShell):
+        - [Baltimore CyberTrust Root](https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem)
+        - [DigiCert Global Root G2](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem)
+        - [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt)
+
+      * ECC Certificate Authority Roots
+        - [DigiCert Global Root G3](https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem)
+        - [Microsoft ECC Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt)
+      
+      Make sure the files are in PEM format. If they are not, use `openssl x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.pem` to convert them to PEM format. Concatenate all the files into CAStore.pem.
+      Configure the AZ_IOT_DEVICE_X509_TRUST_PEM_FILE_PATH to point to this PEM file.
+
+       Windows (PowerShell):
 
       ```powershell
-      $env:AZ_IOT_DEVICE_X509_TRUST_PEM_FILE_PATH='<FULL PATH TO azure-sdk-for-c>\sdk\samples\iot\BaltimoreCyberTrustRoot.crt.pem'
+      $env:AZ_IOT_DEVICE_X509_TRUST_PEM_FILE_PATH='<FULL PATH TO>\CAStore.pem'
       ```
 
 #### IoT Hub X.509 Certificate Samples

sdk/samples/iot/aziot_esp32/New-TrustedCertHeader.ps1

@@ -36,10 +36,18 @@ function New-XxdHeader
 
 echo "It will take a few seconds, please wait."
 
-Invoke-WebRequest -Uri https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -OutFile ca.pem
+Remove-Item -Force -Confirm:$false ".\ca.pem" -erroraction SilentlyContinue
+
+Invoke-WebRequest -Uri https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -OutFile ca1.pem
+Invoke-WebRequest -Uri https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem -OutFile ca2.pem
+
+Get-Content .\ca1.pem | Out-File -Encoding ascii .\ca.pem
+Get-Content .\ca2.pem | Out-File -Append -Encoding ascii .\ca.pem
 
 Out-File -Append -NoNewline -Encoding ascii -FilePath .\ca.pem -InputObject "`0"
+(Get-Content .\ca.pem -Raw).Replace("`r`n", "`n") | Set-Content .\ca.pem -Force -NoNewline
 
 New-XxdHeader -InFile ".\ca.pem" -OutFile ".\ca.h"
 
-Remove-Item -Force -Confirm:$false ".\ca.pem"
+Remove-Item -Force -Confirm:$false ".\ca1.pem"
+Remove-Item -Force -Confirm:$false ".\ca2.pem"

sdk/samples/iot/aziot_esp32/create_trusted_cert_header.sh

@@ -2,8 +2,18 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # SPDX-License-Identifier: MIT
 
+set -x # Set trace on
+set -o errexit # Exit if command failed
+set -o nounset # Exit if variable not set
+set -o pipefail # Exit if pipe failed
+
 command -v xxd >/dev/null 2>&1 || { echo >&2 "Please install xxd."; exit 1; }
 
-wget https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -O ca.pem
+wget https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -O ca1.pem
+wget https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem -O ca2.pem
+
+cat ca1.pem > ca.pem
+cat ca2.pem >> ca.pem
+
 echo -n -e '\0' >> ca.pem
 xxd -i ca.pem ca.h

sdk/samples/iot/aziot_esp8266/New-TrustedCertHeader.ps1

@@ -36,8 +36,18 @@ function New-XxdHeader
 
 echo "It will take a few seconds, please wait."
 
-Invoke-WebRequest -Uri https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -OutFile ca.pem
+Remove-Item -Force -Confirm:$false ".\ca.pem" -erroraction SilentlyContinue
+
+Invoke-WebRequest -Uri https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -OutFile ca1.pem
+Invoke-WebRequest -Uri https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem -OutFile ca2.pem
+
+Get-Content .\ca1.pem | Out-File -Encoding ascii .\ca.pem
+Get-Content .\ca2.pem | Out-File -Append -Encoding ascii .\ca.pem
+
+Out-File -Append -NoNewline -Encoding ascii -FilePath .\ca.pem -InputObject "`0"
+(Get-Content .\ca.pem -Raw).Replace("`r`n", "`n") | Set-Content .\ca.pem -Force -NoNewline
 
 New-XxdHeader -InFile ".\ca.pem" -OutFile ".\ca.h"
 
-Remove-Item -Force -Confirm:$false ".\ca.pem"
+Remove-Item -Force -Confirm:$false ".\ca1.pem"
+Remove-Item -Force -Confirm:$false ".\ca2.pem"

sdk/samples/iot/aziot_esp8266/create_trusted_cert_header.sh

@@ -2,7 +2,18 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # SPDX-License-Identifier: MIT
 
+set -x # Set trace on
+set -o errexit # Exit if command failed
+set -o nounset # Exit if variable not set
+set -o pipefail # Exit if pipe failed
+
 command -v xxd >/dev/null 2>&1 || { echo >&2 "Please install xxd."; exit 1; }
 
-wget https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -O ca.pem
+wget https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -O ca1.pem
+wget https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem -O ca2.pem
+
+cat ca1.pem > ca.pem
+cat ca2.pem >> ca.pem
+
+echo -n -e '\0' >> ca.pem
 xxd -i ca.pem ca.h

sdk/samples/iot/aziot_realtek_amebaD/New-TrustedCertHeader.ps1

@@ -36,8 +36,18 @@ function New-XxdHeader
 
 echo "It will take a few seconds, please wait."
 
-Invoke-WebRequest -Uri https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -OutFile ca.pem
+Remove-Item -Force -Confirm:$false ".\ca.pem" -erroraction SilentlyContinue
+
+Invoke-WebRequest -Uri https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -OutFile ca1.pem
+Invoke-WebRequest -Uri https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem -OutFile ca2.pem
+
+Get-Content .\ca1.pem | Out-File -Encoding ascii .\ca.pem
+Get-Content .\ca2.pem | Out-File -Append -Encoding ascii .\ca.pem
+
+Out-File -Append -NoNewline -Encoding ascii -FilePath .\ca.pem -InputObject "`0"
+(Get-Content .\ca.pem -Raw).Replace("`r`n", "`n") | Set-Content .\ca.pem -Force -NoNewline
 
 New-XxdHeader -InFile ".\ca.pem" -OutFile ".\ca.h"
 
-Remove-Item -Force -Confirm:$false ".\ca.pem"
+Remove-Item -Force -Confirm:$false ".\ca1.pem"
+Remove-Item -Force -Confirm:$false ".\ca2.pem"

sdk/samples/iot/aziot_realtek_amebaD/create_trusted_cert_header.sh

@@ -9,5 +9,11 @@ set -o pipefail # Exit if pipe failed
 
 command -v xxd >/dev/null 2>&1 || { echo >&2 "Please install xxd."; exit 1; }
 
-wget https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -O ca.pem
+wget https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -O ca1.pem
+wget https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem -O ca2.pem
+
+cat ca1.pem > ca.pem
+cat ca2.pem >> ca.pem
+
+echo -n -e '\0' >> ca.pem
 xxd -i ca.pem ca.h