Azure IoT – Enrollment by X.509 Certificate
Enrolling with the Azure IoT Hub by X.509 certificate provides the base credentials for determining whether a device should be allowed to connect. It involves generation of keys and certificates that are then enrolled with the hub.
In this article, we demonstrate key/certificate generation through a C application supplied in the Azure IoT C SDK. We'll show you two different ways to enroll.
The group method is likely the one you'll use in production, but you may want to use the individual method for testing.
For a production device, there will be two possibilities for provisioning the device with keys and certificates.
On the factory floor. In one manufacturing scenario, key and certificate generation and management would be done on a secure system on the factory floor, using scripts and possibly a Hardware Security Module (HSM). This facility programs a device key into the ARTIK module Secure Storage and copies the corresponding certificate onto the board. This method allows the certificates to be "white listed" ahead of time.
In this scenario, no key generation software needs to be present on the module itself. A form of the C application code demonstrated here would be present on the factory floor equipment that pre-provisions the modules.
On the device. ARTIK modules provide a means of generating keys and certificates securely, making them ideal for such an application. No "white listing" is used; instead, an enrolled certificate can be revoked and any chip identifiers (such as MAC address) can be kept to prevent future connection.
In this scenario, a form of the C application code demonstrated here would be installed on each module. At connect time, the module software would be used to generate a key and certificate at the moment it is needed and utilized by the C application to perform the enrollment.
Because we need to install and use the SDK on your ARTIK board for other tutorials anyway, we can use that same board as a generic Linux environment to emulate the factory floor equipment. As a result, we will discuss just a single approach of generating all certificates from the ARTIK board demo application. Adjust the model as needed to meet your needs.
Installing C SDK
To enroll a device or group of devices that are to be authenticated using an X.509 certificate (refer to X.509 CA certificate security concepts), we make use of Azure’s sample certificate generator application included with the Azure IoT C SDK.
Set up the Azure
- IoT Hub
- Device Provisioning Service
Refer to the introductory article for links and ARTIK-specific information.
apt install git
apt install build-essential
apt install cmake
apt install uuid-dev
apt install libssl-dev
apt install curl libcurl4-openssl-dev
Clone the Azure IoT C SDK
git clone https://github.com/Azure/azure-iot-sdk-c.git --recursive
Build the C SDK
cmake -Duse_prov_client:BOOL=ON ..
Look for the dice_device_enrollment application under the directory
Hereafter, we'll refer to it simply as the "enrollment application".
For individual enrollment, each of the devices is signed into a certificate chain of trust by the X.509 CA – in our demonstration case, the device itself acts as CA. Refer to the X.509 CA certificate security overview.
Run the enrollment application and select Individual enrollment to obtain the device certificates (primary and secondary).
Device certificate: -----BEGIN CERTIFICATE----- MIICIDCCAcagAwIBAgIFCgsMDQ4wCgYIKoZIzj0EAwIwOzEZMBcGA1UEAwwQcmlvdC1zaWduZXItY29yZTELMAkGA1UEBgwCVVMxETAPBgNVBAoMCE1TUl9URVNUMB4XDTE3MDEwMTAwMDAwMFoXDTM3MDEwMTAwMDAwMFowOzEZMBcGA1UEAwwQcmlvdC1kZXZpY2UtY2VydDELMAkGA1UEBgwCVVMxETAPBgNVBAoMCE1TUl9URVNUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXl8k/JM5Trrd+T2hCzH8J8FzdMo+nqEBctNE0wUQWesM+QbsF1PBmEHxb/FpqegLlleJW4niMxaN8z3J7T/imKOBtjCBszATBgNVHSUEDDAKBggrBgEFBQcDAjCBmwYGZ4EFBQQBBIGQMIGNAgEBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdgvxWvX6LURj6RDfdXUY30+4hz8gZ6cf25VifQhb3wPuuZTxr09nLslUYdF42qA6VsIUj1fym6mLv2K6agLvvTAtBglghkgBZQMEAgEEIGvpsYTJN8KOEi7uUSto6o4Aw90VnqToXoTLqWb0Rs1OMAoGCCqGSM49BAMCA0gAMEUCIFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KbDtANfAiEAuqG9PPKcd3Fntf5c2icXfIFRXtSWOpZcR8iNnFwtN5g= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBhTCCASugAwIBAgIFDg0MCwowCgYIKoZIzj0EAwIwNDESMBAGA1UEAwwJcmlvdC1yb290MQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwHhcNMTcwMTAxMDAwMDAwWhcNMzcwMTAxMDAwMDAwWjA7MRkwFwYDVQQDDBByaW90LXNpZ25lci1jb3JlMQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR2C/Fa9fotRGPpEN91dRjfT7iHPyBnpx/blWJ9CFvfA+65lPGvT2cuyVRh0XjaoDpWwhSPV/KbqYu/YrpqAu+9oyMwITALBgNVHQ8EBAMCAAQwEgYDVR0TAQH/BAgwBgEB/wIBATAKBggqhkjOPQQDAgNIADBFAiBRXD1uueOWuQTT/sp/VP3NDMHpl783XcpRWtCmw7QDXwIhAKOszfUHSFg/pp+MMtaHk9msAxWOR+00HJy7V4pv/MiO -----END CERTIFICATE----- Press any key to continue:
Copy the contents from
and store it in files called certificate.pem and certificate_2.pem.
Enroll an IoT device.
- Select the “Device Provisioning Service” resource that you created here and choose “Manage enrollments”.
Click on “Add individual enrollment”
- Choose the mechanism as “X.509”
- Upload the device certificate
- Type the device id for the new IoT device
- Make sure that the DPS is linked to the right Azure IoT hub resource
Under “Individual enrollment”, locate the REGISTRATION ID.
With group enrollment of a device type, all of the device entries are associated with a specific intermediate or root CA certificate. These entries control enrollments for all devices that have that intermediate or root certificate in their certificate chain.
Run the enrollment application and select Group enrollment to obtain the root certificate.
root cert: -----BEGIN CERTIFICATE----- MIIBfTCCASSgAwIBAgIFGis8TV4wCgYIKoZIzj0EAwIwNDESMBAGA1UEAwwJcmlvdC1yb290MQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwHhcNMTcwMTAxMDAwMDAwWhcNMzcwMTAxMDAwMDAwWjA0MRIwEAYDVQQDDAlyaW90LXJvb3QxCzAJBgNVBAYMAlVTMREwDwYDVQQKDAhNU1JfVEVTVDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGmrWiahUg/J7F2llfSXSLn+0j0JxZ0fp1DTlEnI/Jzr3x5bsP2eRppj0jflBPvU+qJwT7EFnq2a1Tz4OWKxzn2jIzAhMAsGA1UdDwQEAwIABDASBgNVHRMBAf8ECDAGAQH/AgEBMAoGCCqGSM49BAMCA0cAMEQCIFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KbDtANfAiB0rxBRLP1e7vZtzjJsLP6njjO6qWoArXRuTV2nDO3S9g== -----END CERTIFICATE----- Enter the Validation Code (Press enter when finished):
- Copy the contents from “-----BEGIN CERTIFICATE-----“ to “-----END CERTIFICATE-----“ and store it in a file called root.pem.
In order to generate the leaf device certificate, we need to get the validation code for the root certificate and supply the same to the currently running enrollment application.
- Go to the Device Provisioning Service, choose “Certificates”, and click “Add”. Provide the Certificate Name as “root” and upload the root.pem file.
- On clicking “Save”, the status will be “Unverified”.
The certificate needs to be verified. Click the certificate name and then click “Generate Verification code” to generate the validation code.
Copy the code and provide the same as the validation code to the enrollment application. Then copy the generated leaf certificate and save it in a file named leaf.pem.
Enter the Validation Code (Press enter when finished):
Leaf Certificate: -----BEGIN CERTIFICATE----- MIIBpTCCAUugAwIBAgIFXk08KxowCgYIKoZIzj0EAwIwNDESMBAGA1UEAwwJcmlvdC1yb290MQswCQYDVQQGDAJVUzERMA8GA1UECgwITVNSX1RFU1QwHhcNMTcwMTAxMDAwMDAwWhcNMzcwMTAxMDAwMDAwWjBbMTkwNwYDVQQDDDA3RkQ0QzM2QUVEMUZBOTc3ODEyMkZFMUMzRjFDQkQ5RjJDQjBGMDVDQUU0NjhCMTExCzAJBgNVBAYMAlVTMREwDwYDVQQKDAhNU1JfVEVTVDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAAAVc1h96EwAAAAAAAAAAAAAFXNYfel4AAAVc1h96LgAAAAAFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KajIzAhMAsGA1UdDwQEAwIABDASBgNVHRMBAf8ECDAGAQH/AgEBMAoGCCqGSM49BAMCA0gAMEUCIFFcPW6545a5BNP+yn9U/c0MwemXvzddylFa0KbDtANfAiEA9UUlejC6qiDCZ5qi7d8m/Dr0d5U2o14cRYE2yFfBoj0= -----END CERTIFICATE----- Press any key to continue:
- Upload the leaf.pem file under “Verification certificate” to update the status as “Verified”
Once the root certificate is verified, the same needs to be listed in the Group enrollment in the Device Provisioning Service.
- Go to “Manage enrollments” and click on “Add Enrollment Group”.
- Provide a name for the group and select the verified certificate as the primary certificate. Click on “Save”.
You can now click on the device created to gain access to the security credentials. Keep the key and connection strings available for reference so that you can install the credentials on your ARTIK board in the upcoming tutorial.