Adding X.509 Device on Azure Device Provisioning Service

As explained in the previous articles, IoT devices can be connected to the IoT hub in two ways that are either using Device Provisioning Service (DPS) or directly to the IoT hub. So let's learn how to add X.509 device on the Device Provisioning Service, then in the next article we will register the same device on Azure IoT Hub.


We need a created Device Provisioning Service instance on Azure and same we have created in our last articles. You can read by using the following link.

Now we have an instance of Device Provisioning Service running on the Azure. In this article I have planned to add the X.509 Device on Azure Device Provisioning Service, so we need an X.509 certificate. You can use the following link to learn how to create the X.509 test certificate for the development environment.
Now we have all the required prerequisites that is Device Provisioning Service instance and X.509 device test certificate. Let's start the adding or enrolling the device step by step.

Step 1: Login To Azure Portal

Login into the Azure portal and find the device provisioning service which we have created in the How To Create Azure Device Provisioning Service article. If you haven't created it, then please follow the steps shown in the article and create the same.

I hope you have device provisioning services using the Azure portal. Now find the option to manage enrollments as shown in the following image.

 Device Provisioning Service (DPS) provide the  following two concepts,
  • Individual Enrollment
  • Group Enrollment
In this article, we will learn about the individual device enrollment.

What is Individual Enrollment?

This allows enrolling one device at a time that allows unique configuration per device. To create the individual enrollment, select manage enrollment, then click on the Add individual enrollment as shown in the following image.

After clicking on the Add individual enrollment button, the following screen will get appeared.

As shown in the preceding image, we need some details to create the enrollment entry,
  • Attestation Mechanism
  • Primary Certificate
  • Secondary certificate
  • IoT Hub Device Id
  • IoT Edge Device
  • Device Allocation Policy
  • Choose IoT Hub
  • Device Re-Provisioning
  • Device Twin State
  • Enable Entry
These details differ based on the chosen attestation mechanism type as shown in the following image.

What is Attestation Mechanism?

The attestation mechanism is the process of cross verifying the enrolled device identity during the device registration on IoT Hub. Device Provisioning Service supports the following attestation mechanism.

  • X.509
  • TPM
  • SymetricKey
Now let's learn how to enroll devices using the above attestation mechanisms.

Device Enrollment Using X.509

The X.509 certificate is the security certificate which includes the authentication details about the device. These certificates can be provided by a device manufacturer which they can buy from the authorized certificate provider such as CA. For development and testing purposes we can create the X.509 certificate by using the tools like PowerShell or Openssl etc.

Now choose X.509 attestation mechanism from the dropdown list and choose the device.cer certificate as shown in the following image.

After uploading the certificate, provide the following optional details.

IoT Hub Device Id

Provide the Device Id name which is unique per the X.509 certificate. This is optional, if you do not provide the device Id, then the registration id becomes the deviceid on the Azure IoT hub.

IoT Edge Device

Choose between true or false, which indicates that if it's true, then it's an edge device, else it's an IoT device.

Device Allocation Policy

This chosen policy decides how IoT devices allocate to the IoT Hub. You can read my previous article to understand the details about the device allocation policies.

Choose IoT Hub

DPS can be linked with multiple IoT Hubs, you can choose on which IoT hub device should register or you can let it decide by device allocation policy.

Device Re-Provisioning Policy

There may be a requirement to re-provision the device, so during this process, it allows whether to keep the previous data or not.

Initial Device Twin State

The initial device twin allows storing the custom properties about the device or whatever you want. Mostly, the device twin is used to keep the device-related information such as the path of the device upgrade package file or client details etc.


  "tags": {},  
  "properties": {  
    "desired": {  
      "devicetype": "waterflow",  
      "client": ""  

Enable Entry

This option allows enabling to disable the enrollment entry. Now providing all the above details, click the save button. After successfully creating the enrollment entry, the following notification will be shown.

Now go to our created device provisioning service instance and see the created enrollment entry as follows.

In the preceding image, you see the registration id as mydevice, which is from the certificate common name (CN).


I hope this article is useful to understand how to add the X.509 device on the Azure device provisioning service. In this series of Azure IoT, next, we will learn about the enrollment group of devices.

Related articles

Post a Comment

Protected by Copyscape
Copyright © Compilemode