X.509 Provisioning and Connection

Overview

This section explains how to provision a gateway and how to connect to the Azure IoT Services using X.509 certificates. This connection method can be used with IoT Hub DPS Individual Enrollment, IoT Hub DPS Enrollment Group, IoT Central Individual Enrollment, or IoT Central Enrollment Group.

🚧

ESF Cloud Connector for Azure IoT, Version 2.0.0 and Above Only

These instructions apply to the ESF Cloud Connector for Azure IoT, Version 2.0.0 and above. See Legacy v2 Azure IoT Connection if you are using any version under 2.0.0.

❗️

Testing Use Only

These instructions are for testing and development only. The certificates generated in this guide are not suitable for deployment!

Always follow the correct procedures for generating secure certificates!

Prerequisites

A terminal application and the OpenSSL package are required. These are often pre-installed with operating systems.

Create a X.509 Self-Signed CA Certificate (Root Certificate) and Key

Create a PEM formatted X.509 self-signed CA certificate (also known as a Root Certificate) and key by running the following command:

📘

Unencrypted Private Key File

The command below will generate a private key file that is unencrypted. If you prefer to encrypt the private key file, remove the "-nodes" argument from the command.

openssl req -x509 -newkey rsa:2048 -keyout root-private-key.pem -nodes -out root-cert.pem

Enter the following information when prompted. The values you enter into the fields other than Common Name can be anything and do not matter. Make sure to note what you entered in the Common Name field as it will be used later in the provisioning process.

❗️

Certificate Detail Fields

You must enter a value into at least one of the configuration fields other than Common Name. If all fields other than Common Name are blank, the certificate generation will succeed but the Azure authentication will fail.

❗️

Common Name Format

The Common Name field must be alphanumeric (a-z, 0-9) characters only and all lower case. If the Common Name field is not all lower case or includes any non-alphanumeric characters, the certificate generation will succeed but the Azure authentication will fail.

🚧

Note the Common Name

Make sure you keep a copy of the Common Name. It will be required later in the provisioning process and must be an exact match to the Common Name used in this certificate.

Configuration Fields:

  • Country Name: Enter any 2 letter code. Enter a period for blank. At least one of these fields must be filled in.
  • State or Province Name: Enter anything. Enter a period for blank. At least one of these fields must be filled in.
  • Locality Name: Enter anything. Enter a period for blank. At least one of these fields must be filled in.
  • Organization Name: Enter anything. Enter a period for blank. At least one of these fields must be filled in.
  • Organization Unit Name: Enter anything. Enter a period for blank. At least one of these fields must be filled in.
  • Common Name: This is required. Must be all lower case. Make sure you note this value as it will be used later in the provisioning status. At least one other field must be filled in as well.
  • Email Address: Enter anything. Enter a period for blank. At least one of these fields must be filled in.

Provisioning

X.509 Provisioning can be accomplished in five ways:

Provision Device Using IoT Hub DPS Individual Enrollment

Go to the Manage Enrollments page of your DPS in your Azure Portal and Click + Add individual enrollment.

2724

On the Add Enrollment page, enter the following information:

  • Mechanism: X.509
  • Primary Certificate: Upload the root-cert.pem you generated above
  • IoT Hub Device ID: Enter the name you gave the certificate in the Common Name field here. This must be all lower case (you must generate a new certificate if it is not all lower case).
  • All other fields: Leave at the default values

Click Save.

1733

The Azure Portal will return you to the Manage Enrollments page. Navigate to the Manage Enrollments page if you are not automatically returned to it.

Continue At Create a X.509 cloud connection.

Provision Device Using IoT Hub DPS Enrollment Group

Add Certificate to DPS

Go to the Certificates page of your DPS in your Azure Portal and click + Add.

3618

Enter a certificate name and upload the root-cert.pem you created above. Click Save.

3636

The certificate will be added to the list of certificates and will have Unverified in the Status column. Click on the certificate name to bring up the Certificate Details panel.

3630

Click Generate Verification Code. This will populate the Verification Code field with the verification code.

3633

Copy the verification code. Open the Verification Certificates section of Creating Additional Types of Certificates for Azure IoT in a new window and follow the instructions to create a verification certificate. Continue with these instructions once you have created the verification certificate.

Upload the verification certificate you just created and click Verify.

3628

The certificate should now show Verified with a green checkmark in the Status column.

3627

Create Enrollment Group

Go to the Manage Enrollments page of your DPS. Click + Add Enrollment Group.

2724

On the Add Enrollment Group page, enter the following information:

  • Group Name: Any unique designator.
  • Attestation Type: Certificate
  • Primary Certificate: Select the certificate you uploaded and verified above.
  • All other fields: Leave at the default values

Click Save.

1713

Continue At Create a X.509 cloud connection.

Provision Device Using IoT Central Individual Enrollment

Prerequisites

Create an Application

In order to provision your device with X.509 credentials using IoT Central Applications, you must first create an application. Instructions on how to create your own IoT Central application can be found here.

Create a Device

You must Create your device in your Azure IoT Central Application before provisioning using X.509 credentials.

🚧

Device ID Must Match Certificate Common Name

When you create a device in your Azure IoT Central Application, the Device ID must match the Common Name that you used when creating the root certificate (in the Prerequisites section at the start of this document).

Connect device

Click on your device from the Devices page and click Connect.

1574

Set the Authentication Type to "Individual Enrollment" and the Authentication Method to "Certificates (X.509)".

Click the button to upload your root certificate for both Primary and Secondary. You should use the same certificate for both.

Click Save.

1272

Leave this window open. It will be used in the next section.

Continue At Create a X.509 cloud connection.

Provision Device Using IoT Central Enrollment Group

Prerequisites

Create an Application

In order to provision your device with X.509 credentials using IoT Central Applications, you must first create an application. Instructions on how to create your own IoT Central application can be found here.

Navigate to the Device connection section of the Administration page in your IoT Central Application. Click + Create enrollment group.

3386

The Name must be set to a unique enrollment group name. Set the Attestation type to "Certificates (X.509)". Leave all other fields at default values and click Save.

3625

Once the Enrollment Group is saved, new options will appear under Certificates (X.509). Click + Manage Primary.

3609

Upload the root certificate to Primary. You should see a warning in red that says Needs verification just under the Primary field.

Click Generate verification code. This will generate a verification code.

3620

Copy the verification code. Open the Verification Certificates section of Creating Additional Types of Certificates for Azure IoT in a new window and follow the instructions to create a verification certificate. Continue with these instructions once you have created the verification certificate.

Click Verify and upload your verification certificate. The message below Primary will change to a green "Verified".

3629

Click Close, then click Save.

3617

Continue At Create a X.509 cloud connection.

Create a X.509 cloud connection

In the ESF Web interface, go to the Cloud Connection section and click New Connection.

On the New Cloud Connection dialog, enter the following information:

  • Cloud Connection Factory PID: AzureDpsX509
  • Cloud Connection Service PID: AzureDpsX509 or other valid Cloud Connection Service PID

Click Apply.

1192

Select the new connection and go to the X509MqttDataTransport tab.

2676

Select the appropriate Device Model ID from the list of options. If a device model does not need to be specified your application, leave the default 'None' field'. Set the 'Device Model ID Version' to the appropriate version of the Device Model ID.

Connecting to Azure IoT Portal can be accomplished in five ways:

Configure connection using IoT Hub DPS Individual Enrollment

Navigate to the Overview page of the Azure DPS. Copy/paste the Global device endpoint and ID Scope into the Global Endpoint and Scope ID in ESF.

2717

Run the following command to get the certificate.

cat root-cert.pem

The output of that command will start with "-----BEGIN CERTIFICATE-----", then have a large block of random looking text, and end with "-----END CERTIFICATE-----".

1090

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Certificate textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Run the following command to get the private key.

cat root-private-key.pem

The output of that command will start with "-----BEGIN PRIVATE KEY-----", then have a large block of random looking text, and end with "-----END PRIVATE KEY-----".

1179

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Private Key textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Click Apply.

Click the Connect/Disconnect button. The Status should change to Connected. The connection process may take up to two minutes.

When the AzureDpsX509 is connected, navigate to the device in DPS (via Manage Enrollments/Individual Enrollments). Select your device to go to the Enrollment Details page.

In the Registration Status section, confirm that the Status is "assigned." If the Status is still "unassigned" try refreshing the page in your browser (not the Azure Portal "refresh" button).

3640

When the gateway connects for the first time, a Device will be created in the IoT Hub. Navigate to your IoT Hub in the Azure Portal. Go to the IoT Devices page and confirm the device is listed. The gateway will be listed under the Device ID you entered earlier.

2715

The device is now connected.

Configure connection using IoT Hub DPS Enrollment Group

Open the Device Certificates section of Creating Additional Types of Certificates for Azure IoT in a new window and follow the instructions to create device certificates to use on the gateway. Continue with these instructions once you have created the device certificates.

Navigate to the Overview page of the Azure DPS. Copy/paste the Global device endpoint and ID Scope into the Global Endpoint and Scope ID in ESF.

2717

Run the following command to get the certificate.

cat device.crt

Note: This command uses a different filename than the screenshot below, but the output should be the same.

The output of that command will start with "-----BEGIN CERTIFICATE-----", then have a large block of random looking text, and end with "-----END CERTIFICATE-----".

1090

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Certificate textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Run the following command to get the private key.

cat device-private-key.pem

Note: This command uses a different filename than the screenshot below, but the output should be the same.

The output of that command will start with "-----BEGIN PRIVATE KEY-----", then have a large block of random looking text, and end with "-----END PRIVATE KEY-----".

1179

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Private Key textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Click Apply.

Click the Connect/Disconnect button. The Status should change to Connected. The connection process may take up to two minutes.

When the AzureDpsX509 is connected, navigate to the Enrollment Group Details page in DPS (via Manage Enrollments/Enrollment Groups and click your Enrollment Group). Select the Registration Records tab.

2730

Click your device to go to the Device Registration page. In the Registration Status section, confirm that the Status is "assigned." If the Status is still "unassigned" try refreshing the page in your browser (not the Azure Portal "refresh" button).

2723

When the gateway connects for the first time, a Device will be created in the IoT Hub. Navigate to your IoT Hub in the Azure Portal. Go to the IoT Devices page and confirm the device is listed.

2715

The device is now connected.

Configure connection using IoT Central Individual Enrollment

The Device Connection details page should still be open in your IoT Central Application. If not, open it by navigating to Devices/[Device Name]/Connect. Copy the ID scope into the Scope ID in ESF.

1275

The Global Endpoint can be found in the DPS in the Azure Portal by navigating to the Overview page of your Azure DPS.

Copy/paste the Global device endpoint to the Global Endpoint in ESF.

3361

Run the following command to get the certificate.

cat root-cert.pem

The output of that command will start with "-----BEGIN CERTIFICATE-----", then have a large block of random looking text, and end with "-----END CERTIFICATE-----".

1090

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Certificate textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Run the following command to get the private key.

cat root-private-key.pem

The output of that command will start with "-----BEGIN PRIVATE KEY-----", then have a large block of random looking text, and end with "-----END PRIVATE KEY-----".

1179

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Private Key textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Click Apply.

Click the Connect/Disconnect button. The Status should change to Connected. The connection process may take up to two minutes.

When the AzureDpsX509 is connected, navigate to the Devices page in your IoT Central Application. Confirm the Device status is Provisioned.

3356

The device is now connected.

Configure connection using IoT Central Enrollment Group

Navigate to the Device connection section of the Administration page in your IoT Central Application. Copy the ID Scope and paste it in the Scope ID in ESF.

3360

Navigate to the Overview page of the Azure DPS. Copy/paste the Global device endpoint into the Global Endpoint in ESF.

3361

Open the Device Certificates section of Creating Additional Types of Certificates for Azure IoT in a new window and follow the instructions to create device certificates to use on the gateway. Continue with these instructions once you have created the device certificates.

Run the following command to get the certificate.

cat device.crt

Note: This command uses a different filename than the screenshot below, but the output should be the same.

The output of that command will start with "-----BEGIN CERTIFICATE-----", then have a large block of random looking text, and end with "-----END CERTIFICATE-----".

1090

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Certificate textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Run the following command to get the private key.

cat device-private-key.pem

Note: This command uses a different filename than the screenshot below, but the output should be the same.

The output of that command will start with "-----BEGIN PRIVATE KEY-----", then have a large block of random looking text, and end with "-----END PRIVATE KEY-----".

1179

The large block of random looking text is blacked out in this image.

Copy and paste the entire output starting with "-----BEGIN" and ending with "CERTIFICATE-----". Paste this into the Device Private Key textbox in ESF.

🚧

Whitespace Warning

Be careful not to copy/paste any extra whitespace characters after the last dash. If extra whitespace characters are included the connection will fail.

Click Apply.

Click the Connect/Disconnect button. The Status should change to Connected. The connection process may take up to two minutes.

When the AzureDpsX509 is connected, navigate to the Devices page in your IoT Central Application. Confirm the device is listed, and that Device status is Provisioned. If the device does not show up, refresh the page in your browser.

3356

The device is now connected.