How to implement IoT DPS x509 on device

Robin Gjølstad 31 Reputation points
2020-06-11T10:22:42.677+00:00

Hi

I've been trying to follow instructions and examples from the DPS documentation1 to implement provisioning using x.509 certificates.
Both on the documentation here, and in ESP's instructions2, the instructions are good and concise regarding individual enrollment. Group enrollment however isn't particularly well described on the device side.

For the individual enrollment, creating root- and leaf-certificates using ESP's instructions work well for both simulated and physical devices.
Which certificates to use for group enrollment, how to generate sample certificates and where to implement them I cannot find any clear answers to.

As far as I've managed to understand, group enrollment is based on a root- or intermediate certificate to create a device certificate, but how does one achieve this? And must this be done for each device? Is there any way to build a single firmware with a single certificate included and simply provision with a device name generated upon first boot?

As an absolute beginner in the world of provisioning and certificates, I hope someone will be able to provide a set of concise explanations and instructions which may ease my confusion.

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,205 questions
{count} votes

Accepted answer
  1. António Sérgio Azevedo 7,671 Reputation points Microsoft Employee
    2020-06-15T11:50:37.11+00:00

    Which certificates to use for group enrollment, how to generate sample certificates and where to implement them I cannot find any clear answers to.

    Use the following Certificate Overview to create your test certificates.

    As far as I've managed to understand, group enrollment is based on a root- or intermediate certificate to create a device certificate, but how does one achieve this? And must this be done for each device? Is there any way to build a single firmware with a single certificate included and simply provision with a device name generated upon first boot?

    See IoT Hub Device Provisioning Service concepts#enrollment

    At device side you shouldn't need to change your code to be able to provision using group enrollment. You may need to have the entire certificate chain on your device to successfully provision: Sign Devices into a Certificate Chain of Trust

    See also: Controlling device access to the provisioning service with X.509 certificates

    I hope this can help you get started. Let me know if you have more questions? Otherwise please mark it as answer :).

    Thanks!


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.