How To Create X.509 Device Certificate

During the IoT application development we need the X.509 certificates for those devices which are depends on the X.509 based authentication. The developer test many scenarios during the development, so every time buying the new certificate and device for development is not possible, so we required something virtual but gives a real-life experience, so by considering time and cost, we will create the test certificates locally and test the Azure IoT experience. Microsoft has provided the sample PowerShell script on GitHub to generate the X.509 certificates.

What is use of X.509 Certificate?

The X.509 certificate helps to identify the device on IoT Hub using public and private keys stored within the certificate.

Step 1: Copy the PowerShell Script

Copy the following PowerShell script and save it on your PC storage location as GenerateTestCertificate.ps1 or whatever name you wish, just make sure you have saved the file having an extension .ps1.

# Copyright (c) Microsoft. All rights reserved.
# Licensed under the MIT license. See LICENSE file in the project root for full license information.

    $deviceName = "iothubx509device1",
    $certificateValidityInYears = 1

$cert = New-SelfSignedCertificate `
    -Type Custom `
    -Subject "CN=$deviceName, O=TEST, C=US" `
    -KeySpec Signature `
    -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 `
    -KeyLength 2048 `
    -TextExtension @("{text}") `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -NotAfter (Get-Date).AddYears($certificateValidityInYears)

Write-Host "Generated the certificate:"
Write-Host $cert

Write-Host "Enter the PFX password:"
$password = Read-Host -AsSecureString

$cert | Export-PfxCertificate -FilePath certificate.pfx -Password $password
Set-Content -Path certificate.cer -Value ([Convert]::ToBase64String($cert.RawData)) -Encoding Ascii

I have saved the file on my E drive in the Cert folder which looks like as follows.

Step 2: Open the PowerShell ISE

Now open the PowerShell ISE command prompt in administrative mode as follows.

Make sure it's PowerShell ISE, not just PowerShell command prompt.

Step 3: Change The Directory

Change the directory location where your generate test certificate PowerShell file is located. In this article, the file is located under the E Drive Cert folder.

In the preceding image, the path is set to the Cert folder using the CD command in which our PowerShell Script file is located.

Step 4: Load GenerateTestCertificate.ps1 File

As shown in the following image, load the GenerateTestCertificate.ps1 file and  provide the parameter which is a CA (common name of the certificate) which internally can be become as a DeviceId of the IoT device. Make sure you are following the command syntax exactly as shown in the below image.

Once all details are given as shown in the image, then press the enter key on your keyboard, it will prompt the following screen. Provide the password for the pfx certificate and remember the password which is required during the provisioning the device on IoT Hub.

Once you enter the password press the enter or OK button as shown in the preceding image. Once the certificates are successfully generated, the following details are shown on the PowerShell command prompt.

There are two certificates created with the preceding procedure that are password-protected PKCS12 formatted file (certificate.pfx) and public key certificate file (certificate.cer).

The created certificates files are stored in the same location as your GenerateTestCertificate.ps1 file. Now navigate to the my E drive cert folder where you will see the created file.

As you see in the preceding image, the X.509 self signed certificates are created that are password-protected PKCS12 formatted file certificate.pfx and public key certificate file certificate.cer.

Both the certificates are required to authenticate the single device that is a public key certificate used to enroll the device on Azure device provisioning service and password protected .Pfx required to identify the device identity and provision the device on IoT Hub.


  • These certificates are only for testing purposes, don’t use for the production. 
  • Please buy the certificates from the respective device certificate authority for production requirement.


I hope from the preceding explanation you have learned how to create the X.509 test certificate. In my next article, we will learn how to enroll X.509 device on Azure Device provisioning service and provision the device on Azure IoT Hub. If you are facing any issue during generating the certificates then you can use the comment box to ask your queries.

If you are new to the IoT, then you can read my previous articles using the following given links to learn more about the IoT.

Related article

Post a comment

Protected by Copyscape Online Copyright Protection
Copyright © Compilemode