Tutorial: Use X.509 certificates to authenticate devices with Azure IoT Hub

  • Article

You can use X.509 certificates to authenticate devices to an Azure IoT Hub.

This multi-part tutorial includes several articles that:

  • Show you how to create X.509 certificates and certificate chains using OpenSSL. OpenSSL is an open-source tool that is used broadly across the industry for cryptography and to create X.509 certificates.

  • Show you how to use utilities packaged with the Azure IoT SDKs that can help you quickly create test certificates to use with Azure IoT Hub. Many of these utilities wrap OpenSSL calls.

  • Provide instructions for how to authenticate a device with IoT Hub using a certificate chain.

Depending on your familiarity with X.509 certificates and the stage of development of your IoT solution, one or more of the tutorials in this section may be helpful. This introductory article will help you choose the best path through the other articles in this tutorial for your scenario.

X.509 certificate concepts

Before starting any of the articles in this tutorial, you should be familiar with X.509 certificates and X.509 certificate chains. The following articles can help bring you up to speed.

X.509 certificate scenario paths

Using a self-signed certificate to authenticate a device provides a quick and easy way to test IoT Hub features. Self-signed certificates shouldn't be used in production as they provide less security than a certificate chain anchored with a CA-signed certificate backed by a PKI. To learn more about creating and using a self-signed X.509 certificate to authenticate with IoT Hub, see Tutorial: Use OpenSSL to create self-signed certificates.

Using a CA-signed certificate chain backed by a PKI to authenticate a device provides the best level of security for your devices:

  • In production, we recommend you get your X.509 CA certificates from a public root certificate authority. Purchasing a CA certificate has the benefit of the root CA acting as a trusted third party to vouch for the legitimacy of your devices. If you already have an X.509 CA certificate, and you know how to create and sign device certificates into a certificate chain, follow the instructions in Tutorial: Upload and verify a CA certificate to IoT Hub to upload your CA certificate to your IoT hub. Then, follow the instructions in Tutorial: Test certificate authentication to authenticate a device with your IoT hub.

  • For testing purposes, we recommend using OpenSSL to create an X.509 certificate chain. OpenSSL is used widely across the industry to work with X.509 certificates. You can follow the steps in Tutorial: Use OpenSSL to create test certificates to create a root CA and intermediate CA certificate with which to create and sign device certificates. The tutorial also shows how to upload and verify a CA certificate. Then, follow the instructions in Tutorial: Test certificate authentication to authenticate a device with your IoT hub.

  • Several of the Azure IoT SDKs provide convenience scripts to help you create test certificate chains. For instructions about how to create certificate chains in PowerShell or Bash using scripts provided in the Azure IoT C SDK, see Tutorial: Use Microsoft-supplied scripts to create test certificates. The tutorial also shows how to upload and verify a CA certificate. Then follow the instructions in Tutorial: Test certificate authentication to authenticate a device with your IoT hub.

Next steps

To learn more about the fields that make up an X.509 certificate, see Understand X.509 public key certificates.

If you're already familiar with X.509 certificates, and you want to generate test versions that you can use to authenticate to your IoT hub, see the following articles:

If you have a root CA certificate or subordinate CA certificate and you want to upload it to your IoT hub, you must verify that you own that certificate. For more information, see Tutorial: Upload and verify a CA certificate to IoT Hub.