Individual Device Enrollment Using Azure Device Provisioning Service with X.509 Certificate

In my previous articles on the azure IoT series, we have learned about the Azure IoT Hub and Device Provisioning Service (DPS). If you have not read my previous articles about Azure device provisioning service yet, then please read them using the following link

As explained in the previous articles IoT devices to the IoT hub can be connected in two ways that are either using Device Provisioning Service (DPS) or directly to the IoT hub, So let's learn how to enroll the IoT devices with Device Provisioning Service (DPS).

What is Device Enrollment?

Device enrollment is the process of adding the pre-configured IoT devices details on Azure device provisioning service and connect to the IoT hub on-demand or based on the requirement without any human intervention.

Now let's learn step by step how to enroll the IoT devices

Login To Azure Portal

After login into the azure portal Find the device provisioning service which we have created in the How To Create Azure Device Provisioning Service or if you haven't created then please follow the steps shown in the article and create it. Hope you have DPS services on the portal, Now find the option manage enrollments as shown in the following image


 Device Provisioning Service (DPS) provide the  following two concepts,
  • Individual Enrollment
  • Group Enrollment
In this article we will learn about the individual device enrollment

What is Individual Enrollment?

This allows enrolling one device at a time that allows unique configuration per device. To create the individual enrollment select manage enrollment then click on Add individual enrollment as shown in the following image


After clicking on Add individual enrollment button the following screen will get appears


As shown in the preceding image, we need some details to create the enrollment entry,
  • Attestation Mechanism
  • Primary Certificate
  • Secondary certificate
  • IoT Hub Device Id
  • IoT Edge Device
  • Device Allocation Policy
  • Choose IoT Hub
  • Device Re-Provisioning
  • Device Twin State
  • Enable Entry
These details differ based on the chosen attestation mechanism type as shown in the following image

What is Attestation Mechanism?

The attestation Mechanism is the process of cross verifying the enrolled device identity during the device registration on IoT Hub, Device Provisioning Service supports the following attestation mechanism

  • X.509
  • TPM
  • SymetricKey
Now let's learn how to enroll devices using the above attestation mechanisms

Device Enrollment Using X.509

X.509 certificate is the security certificate which includes the authentication details about the device, these certificates can be provided by a device manufacturer which they can buy from the authorized certificate provider such as CA. For development and testing purposes we can create the x.509 certificate by using the tools like PowerShell or Openssl etc. I will show in the separate article how to generate an x.509 certificates.

I have X.509 certificates on my pc which I have generated using the PowerShell


Now choose X.509 attestation mechanism from the dropdown list and choose device.cer certificate as shown in the following image


After uploading the certificate provide the following optional details

IoT Hub Device Id

Provide the Device Id name which is the unique per x.509 certificate, This is optional, if you do not provide the device Id then registration id becomes the deviceid on Azure IoT hub

IoT Edge Device


Choose between true or false which indicates if its true then its as edge device else its an IoT device

Device Allocation Policy

This chosen policy decides how IoT device allocate to the IoT Hub, you can read my previous article on same to understand the details about the device allocation policies

Choose IoT Hub


DPS linked with multiple IoT Hubs, you can choose on which IoT hub device should register or you can let it decide by device allocation policy

Device Re-Provisioning Policy

There may be a requirement to re-provision the device, so during this process, it allows whether to keep the previous data or not.

Initial Device Twin State


The initial device twin allows storing the custom properties about the device or whatever you want. mostly device twin used to keep the device-related information such as the path of device upgrade package file or client details etc.

Example,

{  
  "tags": {},  
  "properties": {  
    "desired": {  
      "devicetype": "waterflow",  
      "client": "www.compilemode.com"  
    }  
  }  
}  

Enable Entry

This option allows enabling to disable the enrollment entry

Now providing the all above details click on save, after successfully creating the enrollment entry the following notification will be shown


Now go to our created device provisioning service (DPS) instance and see the created enrollment entry as follows



In the preceding image, you see the registration id as my device which is come from the certificate common name (CN).

Device Enrollment Using Symmetric Key

Now choose the symmetric key attestation mechanism from the dropdown list and check on auto-generated keys as shown in the following image


Provide the required details as we did in the x.509 enrollment, in the symmetric key attestation mechanism we need to provide the registration id but in x.509 enrollment the registration id taken from the certificate common name (CN).

Now providing the all above details click on save, now go to our created device provisioning service (DPS) instance and see the created enrollment entry as follows


As shown in the preceding image we see the registration id reg100 is go added, follow the same steps for other types of attestation mechanism, and enroll the device

Summary

I hope this article is useful to understand how to enroll the device using azure device provisioning service with X.509 certificate. In this series of Azure IoT, next, we will learn about the enrollment group of devices.

Post a Comment

www.CodeNirvana.in

Protected by Copyscape Online Copyright Protection
Copyright © Compilemode