Quickstart: Create and provision a simulated X.509 device using C# device SDK for IoT Hub Device Provisioning Service

These steps show you how to use the Azure IoT Samples for C# to simulate an X.509 device on a development machine running the Windows OS. The sample also connects the simulated device to an IoT Hub using the Device Provisioning Service.

If you're unfamiliar with the process of autoprovisioning, be sure to also review Auto-provisioning concepts. Also make sure you've completed the steps in Set up IoT Hub Device Provisioning Service with the Azure portal before continuing.

The Azure IoT Device Provisioning Service supports two types of enrollments:

This article will demonstrate individual enrollments.

Note

The initial device twin state configuration is available only in the standard tier of IoT Hub. For more information about the basic and standard IoT Hub tiers, see How to choose the right IoT Hub tier.

Prepare the development environment

  1. Make sure you have the .NET Core 2.1 SDK or later installed on your machine.

  2. Make sure git is installed on your machine and is added to the environment variables accessible to the command window. See Software Freedom Conservancy's Git client tools for the latest version of git tools to install, which includes the Git Bash, the command-line app that you can use to interact with your local Git repository.

  3. Open a command prompt or Git Bash. Clone the Azure IoT Samples for C# GitHub repo:

    git clone https://github.com/Azure-Samples/azure-iot-samples-csharp.git
    

Create a self-signed X.509 device certificate and individual enrollment entry

In this section you, will use a self-signed X.509 certificate, it is important to keep in mind the following:

  • Self-signed certificates are for testing only, and should not be used in production.
  • The default expiration date for a self-signed certificate is one year.

You will use sample code from the Provisioning Device Client Sample - X.509 Attestation to create the certificate to be used with the individual enrollment entry for the simulated device.

  1. In a command prompt, change directories to the project directory for the X.509 device provisioning sample.

    cd .\azure-iot-samples-csharp\provisioning\Samples\device\X509Sample
    
  2. The sample code is set up to use X.509 certificates stored within a password-protected PKCS12 formatted file (certificate.pfx). Additionally, you need a public key certificate file (certificate.cer) to create an individual enrollment later in this quickstart. To generate a self-signed certificate and its associated .cer and .pfx files, run the following command:

    powershell .\GenerateTestCertificate.ps1
    
  3. The script prompts you for a PFX password. Remember this password, you must use it when you run the sample.

     Enter the PFX password

  4. Sign in to the Azure portal, select the All resources button on the left-hand menu and open your provisioning service.

  5. From the Device Provisioning Service menu, select Manage enrollments. Select Individual Enrollments tab and select the Add individual enrollment button at the top.

  6. In the Add Enrollment panel, enter the following information:

    • Select X.509 as the identity attestation Mechanism.

    • Under the Primary certificate .pem or .cer file, choose Select a file to select the certificate file certificate.cer created in the previous steps.

    • Leave Device ID blank. Your device will be provisioned with its device ID set to the common name (CN) in the X.509 certificate, iothubx509device1. This will also be the name used for the registration ID for the individual enrollment entry.

    • Optionally, you may provide the following information:

      • Select an IoT hub linked with your provisioning service.
      • Update the Initial device twin state with the desired initial configuration for the device.
    • Once complete, press the Save button.

      Add individual enrollment for X.509 attestation in the portal

    On successful enrollment, your X.509 enrollment entry appears as iothubx509device1 under the Registration ID column in the Individual Enrollments tab.

Provision the simulated device

  1. From the Overview blade for your provisioning service, note the ID Scope value.

    Extract Device Provisioning Service endpoint information from the portal blade

  2. Type the following command to build and run the X.509 device provisioning sample. Replace the <IDScope> value with the ID Scope for your provisioning service.

    dotnet run <IDScope>
    
  3. When prompted, enter the password for the PFX file that you created previously. Notice the messages that simulate the device booting and connecting to the Device Provisioning Service to get your IoT hub information.

    Sample device output

  4. Verify that the device has been provisioned. On successful provisioning of the simulated device to the IoT hub linked with your provisioning service, the device ID appears on the hub's IoT devices blade.

    Device is registered with the IoT hub

    If you changed the initial device twin state from the default value in the enrollment entry for your device, it can pull the desired twin state from the hub and act accordingly. For more information, see Understand and use device twins in IoT Hub

Clean up resources

If you plan to continue working on and exploring the device client sample, do not clean up the resources created in this quickstart. If you do not plan to continue, use the following steps to delete all resources created by this quickstart.

  1. Close the device client sample output window on your machine.
  2. Close the TPM simulator window on your machine.
  3. From the left-hand menu in the Azure portal, select All resources and then select your Device Provisioning service. At the top of the Overview blade, press Delete at the top of the pane.
  4. From the left-hand menu in the Azure portal, select All resources and then select your IoT hub. At the top of the Overview blade, press Delete at the top of the pane.

Next steps

In this quickstart, you’ve created a simulated X.509 device on your Windows machine and provisioned it to your IoT hub using the Azure IoT Hub Device Provisioning Service on the portal. To learn how to enroll your X.509 device programmatically, continue to the quickstart for programmatic enrollment of X.509 devices.