How To Create X509 Security Certificate

In this article, we will learn how to create the self-signed X.509 security certificate for Azure IoT Hub Device Provisioning Service and Azure IoT Hub, which can be helpful during development instead of relying on the real IoT Device certificate. If you are new to the IoT, then you can read my previous articles using the following links to learn more about the IoT.

What is use of X.509 Certificate?

The X.509 certificate helps to identify the device on IoT Hub using public and private keys stored within the certificate.

How To Create X.509 Test Certificates locally?

X.509 certificates are required during the development of IoT applications for devices that rely on X.509-based authentication.The developer tests many scenarios during the development, so every time the new certificate and device for development is not possible, we require something virtual but gives a real-life experience, so by considering time and cost, we will create the test certificates locally and test the Azure IoT experience. Microsoft has provided the sample PowerShell script on GitHub to generate the X.509 certificates.Step 1: Copy the PowerShell Script.

Copy the following PowerShell script and save it on your PC storage location as GenerateTestCertificate. or whatever name you wish, just make sure you have saved the file with an extension . ps1.

# Copyright (c) Microsoft. All rights reserved.
# Licensed under the MIT license. See LICENSE file in the project root for full license information.

    $deviceName = "iothubx509device1",
    $certificateValidityInYears = 1

$cert = New-SelfSignedCertificate `
    -Type Custom `
    -Subject "CN=$deviceName, O=TEST, C=US" `
    -KeySpec Signature `
    -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 `
    -KeyLength 2048 `
    -TextExtension @("{text}") `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -NotAfter (Get-Date).AddYears($certificateValidityInYears)

Write-Host "Generated the certificate:"
Write-Host $cert

Write-Host "Enter the PFX password:"
$password = Read-Host -AsSecureString

$cert | Export-PfxCertificate -FilePath certificate.pfx -Password $password
Set-Content -Path certificate.cer -Value ([Convert]::ToBase64String($cert.RawData)) -Encoding Ascii

I have saved the file on my E drive in the Cert folder, which looks like as follows.

Step 2: Open the PowerShell ISE

Now open the PowerShell ISE command prompt in administrative mode as follows.

Make sure it's PowerShell ISE, not just a PowerShell command prompt.

Step 3: Change The Directory

Change the directory location where your GenerateTestCertificate.ps1 certificate PowerShell file is located. In this article, the file is located under the E Drive Cert folder.

In the preceding image, the path is set to the Cert folder using the CD command, in which our PowerShell Script file is located.

Step 4: Load GenerateTestCertificate.ps1 File

As shown in the following image, load the GenerateTestCertificate.ps1 file and provide the parameter which is a CA (common name of the certificate), which internally can be used as a DeviceId of the IoT device. Make sure you are following the command syntax exactly as shown in the below image.

Once all the details are given as shown in the image, then press the enter key on your keyboard. It will prompt the following screen. Provide the password for the PFX certificate and remember the password that is required during the provisioning of the device on the IoT Hub.

Once you enter the password, press the enter or OK button as shown in the preceding image. Once the certificates are successfully generated, the following details are shown on the PowerShell command prompt.

There are two certificates created with the preceding procedure that are password-protected PKCS12 formatted file (certificate.pfx) and public key certificate file (certificate.cer).

The created certificates files are stored in the same location as your GenerateTestCertificate.ps1 file. Now navigate to the my E drive cert folder where you will see the created file.

As you see in the preceding image, the X.509 self signed certificates are created that are password-protected PKCS12 formatted file certificate.pfx and public key certificate file certificate.cer.

Both the certificates are required to authenticate the single device. One is a public key certificate used to enrol the device on the Azure device provisioning service and the other is password protected . Pfx is required to identify the device and provision the device on the IoT Hub.


I hope from the preceding explanation you have learned how to create the X.509 test certificate. In my next article, we will learn how to enrol an X.509 device on the Azure Device provisioning service and provision the device on the Azure IoT Hub. If you are facing any issue while generating the certificates, then you can use the comment box to ask your queries.

Related article

Post a Comment

Protected by Copyscape
Copyright © Compilemode