Provisioning Certificates for IoT Devices

Question

Provisioning Certificates for IoT Devices

Roy 60

I’m developing an IoT device system and facing the challenge of certificate provisioning. I want to implement a provisioning system that runs on the device’s first connection to the internet. We plan to use MQTT for device-to-cloud communication.

I found that Azure DPS can generate certificates, but its usage is limited to Azure IoT Hub. Additionally, the IoT Hub documentation recommends using Event Grid if MQTT is desired, as it supports all the necessary features.

So, what should I do if I follow that recommendation and use Event Grid? How can I automatically generate certificates in that case?

VSawhney 715 Reputation points Microsoft External Staff Moderator

2025-06-18T13:33:15.7533333+00:00
Hello Roy,

It sounds like you're diving into the complexities of provisioning certificates for your IoT devices, especially focusing on using Azure DPS and Event Grid with MQTT. Here’s what I can suggest:

Understanding the Role of Azure DPS and Event Grid

Azure Device Provisioning Service (DPS) is tightly integrated with Azure IoT Hub and is designed to automate device onboarding using X.509 certificates, TPM, or SAS tokens. However, if you're shifting toward Azure Event Grid with MQTT, the provisioning flow changes slightly.

Event Grid now supports MQTT client authentication using certificate chains, which allows you to authenticate devices using X.509 certificates without relying on IoT Hub or DPS directly.

Automating Certificate Generation and Provisioning

To automate certificate provisioning during the device’s first connection, here’s a recommended approach:

a. Set Up a Certificate Authority (CA)

You’ll need a CA to issue certificates. You can use tools like Step CLI to generate root and intermediate certificates and then issue client certificates for your devices.

Example command to generate a client certificate:

.\step certificate create client1-authnID client1-authnID.pem client1-authnID.key --ca .step/certs/intermediate_ca.crt --ca-key .step/secrets/intermediate_ca_key --no-password --insecure --not-after 2400h

b. Upload CA Certificate to Event Grid

In the Azure portal:

Navigate to your Event Grid Namespace.

Under MQTT Broker, go to CA Certificates.

Upload your intermediate certificate (e.g., .crt, .pem, or .cer file).

c. Configure Client Authentication

Go to the Clients section in Event Grid.

Add a new client with the certificate subject name and validation scheme.

This enables the MQTT broker to authenticate the device using the uploaded certificate.

Device Firmware Logic

On first boot:

The device generates a certificate (or retrieves one from a secure element like HSM).

It connects to Event Grid using MQTT and presents the certificate.

Event Grid validates the certificate against the uploaded CA chain and authenticates the device.

This setup supports zero-touch provisioning if you preload certificates in HSMs or automate generation via firmware logic.
Reference Link 1: Client authentication using CA certificate chain
Reference Link 2: Device authentication concepts in IoT Central

Hope this solves your issue!
Thank you!
Roy 60 Reputation points

2025-06-18T17:28:56.9766667+00:00

Can I use PHP to create clients in Event Grid when I receive orders from IoT devices in order to provide them with their certificates?
Manas Mohanty 5,700 Reputation points Microsoft External Staff Moderator

2025-06-18T23:07:15.6+00:00
Hello Roy

Not sure on php side. But Event grid clients are available officially in below options.

REST APi

Dot net

Java

Java script

Python

Go

https://learn.microsoft.com/en-us/azure/event-grid/sdk-overview

Please let us know if you can accept 1st comment from Vaibhab as answer

Thank you.

Accepted answer

0 additional answers

Your answer

Roy 60 Reputation points

2025-06-18T17:28:56.9766667+00:00

Can I use PHP to create clients in Event Grid when I receive orders from IoT devices in order to provide them with their certificates?
Manas Mohanty 5,700 Reputation points Microsoft External Staff Moderator

2025-06-18T23:07:15.6+00:00

Hello Roy

Not sure on php side. But Event grid clients are available officially in below options.

REST APi

Dot net

Java

Java script

Python

Go

https://learn.microsoft.com/en-us/azure/event-grid/sdk-overview

Please let us know if you can accept 1st comment from Vaibhab as answer

Thank you.

Answer 1

Hello @Roy,

welcome to this moderated Azure community forum.

The Device provisioning service is bound to one or more IoT Hub, registering (and moving around) devices to specific IoT Hub based on a registration flow.

The IoT Hub is a great cloud gateway with secure two way connection and a 'device twin' containing state for each device.

The IoT Hub communicates over MQTT (and other protocols are supported) but it is not a vanilla MQTT broker.

If you want to use plain MQTT complete with freedom to use your own topic structure, the EventGrid Namespace MQTT broker is a better choice.

At this moment, the EventGrid Namespace does not have a provisioning service. So you need to build something yourself.

At this moment, the Eventgrid namespace MQTT broker has a new public preview feature :

Webhook authentication allows external HTTP endpoints (webhooks or functions) to authenticate MQTT connections dynamically.

You can add custom (Azure Function) logic to the authentication flow.

Perhaps this could help you?

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

Share via

Provisioning Certificates for IoT Devices

0 additional answers

Your answer