You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article provides end-to-end instructions for autoprovisioning one or more [IoT Edge for Linux on Windows](iot-edge-for-linux-on-windows.md) devices using X.509 certificates. You can automatically provision Azure IoT Edge devices with the [Azure IoT Hub device provisioning service](../iot-dps/index.yml) (DPS). If you're unfamiliar with the process of autoprovisioning, review the [provisioning overview](../iot-dps/about-iot-dps.md#provisioning-process) before continuing.
17
+
This article gives step-by-step instructions for autoprovisioning one or more [IoT Edge for Linux on Windows](iot-edge-for-linux-on-windows.md) devices using X.509 certificates. Automatically provision Azure IoT Edge devices with the [Azure IoT Hub device provisioning service](../iot-dps/index.yml) (DPS). If you aren't familiar with autoprovisioning, review the [provisioning overview](../iot-dps/about-iot-dps.md#provisioning-process) before you continue.
18
18
19
-
The tasks are as follows:
19
+
Here are the main tasks:
20
20
21
21
1. Generate certificates and keys.
22
-
1. Create either an **individual enrollment** for a single device or a **group enrollment** for a set of devices.
23
-
1. Deploy a Linux virtual machine with the IoT Edge runtime installed and connect it to the IoT Hub.
22
+
1. Create an **individual enrollment** for a single device or a **group enrollment** for a set of devices.
23
+
1. Deploy a Linux virtual machine with the IoT Edge runtime installed, and connect it to the IoT Hub.
24
24
25
-
Using X.509 certificates as an attestation mechanism is an excellent way to scale production and simplify device provisioning. Typically, X.509 certificates are arranged in a certificate chain of trust. Starting with a self-signed or trusted root certificate, each certificate in the chain signs the next lower certificate. This pattern creates a delegated chain of trust from the root certificate down through each intermediate certificate to the final downstream device certificate installed on a device.
25
+
X.509 certificates let you scale production and simplify device provisioning. Typically, X.509 certificates are arranged in a certificate chain of trust. The chain starts with a self-signed or trusted root certificate, and each certificate in the chain signs the next lower certificate. This pattern creates a delegated chain of trust from the root certificate through each intermediate certificate to the final downstream device certificate installed on a device.
26
26
27
27
## Prerequisites
28
28
@@ -34,31 +34,31 @@ Using X.509 certificates as an attestation mechanism is an excellent way to scal
34
34
35
35
## Generate device identity certificates
36
36
37
-
The device identity certificate is a downstream certificate that connects through a certificate chain of trust to the top X.509 certificate authority (CA) certificate. The device identity certificate must have its common name (CN) set to the device ID that you want the device to have in your IoT hub.
37
+
The device identity certificate is a downstream certificate that connects through a certificate chain of trust to the top X.509 certificate authority (CA) certificate. Set the common name (CN) of the device identity certificate to the device ID you want the device to use in your IoT hub.
38
38
39
-
Device identity certificates are only used for provisioning the IoT Edge device and authenticating the device with Azure IoT Hub. They aren't signing certificates, unlike the CA certificates that the IoT Edge device presents to modules or downstream devices for verification. For more information, see [Azure IoT Edge certificate usage detail](iot-edge-certs.md).
39
+
Use device identity certificates only for provisioning the IoT Edge device and authenticating the device with Azure IoT Hub. They aren't signing certificates, unlike the CA certificates that the IoT Edge device presents to modules or downstream devices for verification. For more information, see [Azure IoT Edge certificate usage detail](iot-edge-certs.md).
40
40
41
-
After you create the device identity certificate, you should have two files: a .cer or .pem file that contains the public portion of the certificate, and a .cer or .pem file with the private key of the certificate. If you plan to use group enrollment in DPS, you also need the public portion of an intermediate or root CA certificate in the same certificate chain of trust.
41
+
After you create the device identity certificate, you have two files: a .cer or .pem file that has the public portion of the certificate, and a .cer or .pem file with the private key of the certificate. If you use group enrollment in DPS, you also need the public portion of an intermediate or root CA certificate in the same certificate chain of trust.
42
42
43
43
You need the following files to set up automatic provisioning with X.509:
44
44
45
-
* The device identity certificate and its private key certificate. The device identity certificate is uploaded to DPS if you create an individual enrollment. The private key is passed to the IoT Edge runtime.
46
-
* A full chain certificate, which should have at least the device identity and the intermediate certificates in it. The full chain certificate is passed to the IoT Edge runtime.
45
+
* The device identity certificate and its private key certificate. Upload the device identity certificate to DPS if you create an individual enrollment. The private key is passed to the IoT Edge runtime.
46
+
* A full chain certificate, which has at least the device identity and the intermediate certificates in it. The full chain certificate is passed to the IoT Edge runtime.
47
47
* An intermediate or root CA certificate from the certificate chain of trust. This certificate is uploaded to DPS if you create a group enrollment.
48
48
49
49
> [!NOTE]
50
50
> Currently, a limitation in libiothsm prevents the use of certificates that expire on or after January 1, 2038.
51
51
52
52
### Use test certificates (optional)
53
53
54
-
If you don't have a certificate authority available to create new identity certs and want to try out this scenario, the Azure IoT Edge git repository contains scripts that you can use to generate test certificates. These certificates are designed for development testing only, and must not be used in production.
54
+
If you don't have a certificate authority available to create new identity certs and want to try out this scenario, the Azure IoT Edge git repository has scripts you can use to generate test certificates. Use these certificates for development testing only, and don't use them in production.
55
55
56
-
To create test certificates, follow the steps in [Create demo certificates to test IoT Edge device features](how-to-create-test-certificates.md). Complete the two required sections to set up the certificate generation scripts and to create a root CA certificate. Then, follow the steps to create a device identity certificate. When you're finished, you should have the following certificate chain and key pair:
56
+
To create test certificates, follow the steps in [Create demo certificates to test IoT Edge device features](how-to-create-test-certificates.md). Complete the two required sections to set up the certificate generation scripts and create a root CA certificate. Then, follow the steps to create a device identity certificate. When you finish, you have the following certificate chain and key pair:
You need both these certificates on the IoT Edge device. If you're going to use individual enrollment in DPS, then you upload the .cert.pem file. If you're going to use group enrollment in DPS, then you also need an intermediate or root CA certificate in the same certificate chain of trust to upload. If you're using demo certs, use the `<WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem` certificate for group enrollment.
61
+
You need both these certificates on the IoT Edge device. If youuse individual enrollment in DPS, upload the .cert.pem file. If youuse group enrollment in DPS, also upload an intermediate or root CA certificate in the same certificate chain of trust. If you use demo certificates, use the `<WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem` certificate for group enrollment.
62
62
63
63
<!-- Create a DPS enrollment using X.509 certificates H2 and content -->
@@ -68,31 +68,31 @@ You need both these certificates on the IoT Edge device. If you're going to use
68
68
69
69
## Provision the device with its cloud identity
70
70
71
-
Once the runtime is installed on your device, configure the device with the information it uses to connect to the device provisioning service and IoT Hub.
71
+
After you install the runtime on your device, configure the device with the information it uses to connect to the device provisioning service and IoT Hub.
72
72
73
-
Have the following information ready:
73
+
Make sure you have the following information:
74
74
75
-
* The DPS **ID Scope** value. You can retrieve this value from the overview page of your DPS instance in the Azure portal.
75
+
* The DPS **ID Scope** value. You find this value on the overview page of your DPS instance in the Azure portal.
76
76
* The device identity certificate chain file on the device.
77
77
* The device identity key file on the device.
78
78
79
-
Run the following command in an elevated PowerShell session with the placeholder values updated with your own values:
79
+
Run the following command in an elevated PowerShell session. Replace the placeholder values with your own values:
You can verify that the individual enrollment that you created in device provisioning service was used. Navigate to your device provisioning service instance in the Azure portal. Open the enrollment details for the individual enrollment that you created. Notice that the status of the enrollment is **assigned** and the device ID is listed.
91
+
Check that the individual enrollment you created in device provisioning service is used. Go to your device provisioning service instance in the Azure portal. Open the enrollment details for the individual enrollment you created. The status of the enrollment is **assigned**, and the device ID is listed.
92
92
93
93
# [Group enrollment](#tab/group-enrollment)
94
94
95
-
You can verify that the group enrollment that you created in device provisioning service was used. Navigate to your device provisioning service instance in the Azure portal. Open the enrollment details for the group enrollment that you created. Go to the **Registration Records** tab to view all devices registered in that group.
95
+
Check that the group enrollment you created in device provisioning service is used. Go to your device provisioning service instance in the Azure portal. Open the enrollment details for the group enrollment you created. Go to the **Registration Records** tab to see all devices registered in that group.
96
96
97
97
---
98
98
@@ -105,7 +105,7 @@ You can verify that the group enrollment that you created in device provisioning
105
105
>[!NOTE]
106
106
>The only account allowed to SSH to the virtual machine is the user that created it.
107
107
108
-
1. Once you are logged in, you can check the list of running IoT Edge modules using the following Linux command:
108
+
1. Once you're logged in, you can check the list of running IoT Edge modules using the following Linux command:
109
109
110
110
```bash
111
111
sudo iotedge list
@@ -126,22 +126,22 @@ You can verify that the group enrollment that you created in device provisioning
126
126
```
127
127
128
128
>[!NOTE]
129
-
>On a newly provisioned device, you may see an error related to IoT Edge Hub:
129
+
>On a newly provisioned device, you might see an error related to IoT Edge Hub:
130
130
>
131
131
>**× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error**
132
132
>
133
133
>**Could not check current state of edgeHub container**
134
134
>
135
135
>This error is expected on a newly provisioned device because the IoT Edge Hub module isn't running. To resolve the error, in IoT Hub, set the modules for the device and create a deployment. Creating a deployment for the device starts the modules on the device including the IoT Edge Hub module.
136
136
137
-
When you create a new IoT Edge device, it displays the status code `417 -- The device's deployment configuration is not set` in the Azure portal. This status is normal, and means that the device is ready to receive a module deployment.
137
+
When you create a new IoT Edge device, it shows the status code `417 -- The device's deployment configuration is not set` in the Azure portal. This status is normal and means the device is ready to receive a module deployment.
138
138
139
139
<!-- Uninstall IoT Edge for Linux on Windows H2 and content -->
The device provisioning service enrollment process lets you set the device ID and device twin tags at the same time as you provision the new device. You can use those values to target individual devices or groups of devices using automatic device management. Learn how to [Deploy and monitor IoT Edge modules at scale using the Azure portal](how-to-deploy-at-scale.md) or [using Azure CLI](how-to-deploy-cli-at-scale.md).
144
+
The device provisioning service enrollment process lets you set the device ID and device twin tags when you provision a new device. Use those values to target individual devices or groups of devices with automatic device management. Learn how to [deploy and monitor IoT Edge modules at scale using the Azure portal](how-to-deploy-at-scale.md) or [using Azure CLI](how-to-deploy-cli-at-scale.md).
0 commit comments