Provision X.509 Device Using Azure Device Provisioning Service

In this article, we will learn how to provision X.509 device using the Azure device provisioning service. If you have not read my previous articles about Azure device provisioning service yet, then please read them using the following link.As explained in the previous articles, IoT devices on the IoT hub can be connected in two ways that are
  • Using Device Provisioning Service then Azure IoT Hub
  • Directly to the Azure IoT hub
So let's learn how to enroll the IoT devices with Device Provisioning Service (DPS).

What is Device Enrollment?

Device enrollment is the process of adding the pre-configured IoT devices details on Azure device provisioning service and connect to the IoT hub on-demand or based on the requirement without any human intervention.

Now let's learn step by step how to enroll the IoT devices

Step 1: Login To Azure Portal

After login into the azure portal, find the device provisioning service which we have created in the How To Create Azure Device Provisioning Service article or if you haven't created it, then please follow the steps shown in the article and create it. I hope you have DPS services on the portal. Now find the option to manage enrollments as shown in the following image.


 Device Provisioning Service (DPS) provide the  following two concepts,
  • Individual Enrollment
  • Group Enrollment
In this article we will learn about the individual device enrollment

What is Individual Enrollment?

This allows enrolling one device at a time that allows unique configuration per device. 

Step 2:  Navigate To Azure Device Provisioning Service Instance

To create the individual enrollment, select manage enrollment, then click on the Add individual enrollment as shown in the following image.


After clicking on the Add individual enrollment button, the following screen will get appeared as shown in the step 3.

Step 3: Provide Enrollment Details and X.509 Certificate

Provide the required details including the X.509 security certificate


As shown in the preceding image, we need some details to create the enrollment entry,
  • Attestation Mechanism
  • Primary Certificate
  • Secondary certificate
  • IoT Hub Device Id
  • IoT Edge Device
  • Device Allocation Policy
  • Choose IoT Hub
  • Device Re-Provisioning
  • Device Twin State
  • Enable Entry
These details differ based on the chosen attestation mechanism type as shown in the following image

What is Attestation Mechanism?

The attestation Mechanism is the process of cross verifying the enrolled device identity during the device registration on IoT Hub, Device Provisioning Service supports the following attestation mechanism

  • X.509
  • TPM
  • SymetricKey
Now let's learn how to enroll devices using the above attestation mechanisms

Device Enrollment Using X.509

The X.509 is the security certificate which includes the authentication details about the device. These certificates can be provided by a device manufacturer which they can buy from the authorized certificate provider such as CA. For development and testing purposes we can create the X.509 certificate by using the tools like PowerShell or OpenSSl etc. I will show in a separate article how to generate the X.509 certificates.

I have X.509 certificates on my pc which I have generated using PowerShell. If you want to know how to create the X.509 test certificate, then you can learn by using the following link.


Now choose X.509 attestation mechanism from the dropdown list and choose the device.cer certificate as shown in the following image.


After uploading the certificate provide the following optional details

IoT Hub Device Id

Provide the Device Id name which is unique per X.509 certificate. This is optional, if you do not provide the device Id, then the registration id becomes the deviceId on the Azure IoT hub.

IoT Edge Device


Choose between true or false, which indicates if it's true, then it's an edge device, else it's an IoT device.

Device Allocation Policy

This chosen policy decides how IoT devices allocate to the IoT Hub, you can read my previous article to understand the details about the device allocation policies.

Choose IoT Hub

Device provisioning service can be linked with multiple IoT Hubs, you can choose on which IoT hub, device should register or you can let it decide by device allocation policy.

Device Re-Provisioning Policy

There may be a requirement to re-provision the device, so during this process, it allows whether to keep the previous data or not.

Initial Device Twin State

The initial device twin allows storing the custom properties about the device or whatever you want. Mostly, the device twin is used to keep the device-related information such as the path of the device upgrade package file or client details etc.

Example,


{  
  "tags": {},  
  "properties": {  
    "desired": {  
      "devicetype": "waterflow",  
      "client": "www.compilemode.com"  
    }  
  }  
}  

Enable Entry

This option allows enabling to disable the enrollment entry.

Now providing all the above details, click on the save. After successfully creating the enrollment entry, the following notification will be shown.


Now go to our created device provisioning service (DPS) instance and see the created enrollment entry as follows.



In the preceding image, you see the registration id as my device which comes from the certificate common name (CN).

Device Enrollment Using Symmetric Key

Now choose the symmetric key attestation mechanism from the dropdown list and check on auto-generated keys as shown in the following image.



Provide the required details as we did in the X.509 enrollment, in the symmetric key attestation mechanism we need to provide the registration id but in X.509 enrollment the registration id taken from the certificate common name (CN).

Now providing all the above details, click on the save, now go to our created device provisioning service (DPS) instance and see the created enrollment entry as follows.


As shown in the preceding image, we see the registration id reg100 is added, follow the same steps for other types of attestation mechanism, and enroll the device.

Summary

I hope this article is useful to understand how to provision X.509 device using the Azure device provisioning service.

Post a Comment

www.CodeNirvana.in

Protected by Copyscape
Copyright © Compilemode