Announcing support for X.509 CA on Azure IoT Hub

Publikováno dne 10 října, 2017

Senior Program Manager

We’re pleased to announce support for X.509 Certificates Authorities (X.509 CA) on Azure IoT Hub!

The use of X.509 CA simplifies the creation of initial unique Internet of Things (IoT) certificate identities for devices in the device manufacturing flow. Instead of pre-creating the identities for every device and having to protect associated secrets during manufacturing, the use of X.509 CA simplifies the flow into two, one-time processes for the certificate owner.

  • Authorize the factory once, enabling it to create initial identities for IoT devices, or enable downstream factories and/or service providers in the manufacturing flow. This enablement process, called signing, only needs to happen once. Learn more about signing and certificate chains.
  • Upload the X.509 CA certificate to the Azure IoT Hub where it will be used to authenticate IoT devices as they connect. The upload is a one-time process.

Figure 1: Using X.509 Certificate Authorities on Azure IoT Hub

The X.509 CA feature can be used alone or in conjunction with the Azure IoT Hub Device Provisioning Service (DPS). When used with DPS it enables provisioning for true zero-touch secure identity management for IoT.

X.509 CA reduces the burden of keeping private keys secret in a supply chain, especially when multiple custodians are involved. Private keys are an integral part of the certificate identities for IoT devices. Without using X.509 CA, unique private keys would have to be pre-generated and kept secret until securely injected into the IoT device, for every device. For each device, a unique attribute of the key called a thumbprint is created and registered to IoT Hub. The thumbprint in IoT Hub would then be used to authenticate the device when it connects. Using X.509 CA certificate in contrast means you only have to register a CA certificate once. You can use it to authenticate as many devices as needed. The burden is further reduced when private keys are generated within secure silicon hardware, eliminating the injection process altogether. Learn more about how Microsoft supports a wide variety of secure hardware.

Creating support for X.509 CA on Azure IoT Hub is part of Microsoft’s relentless efforts towards simplifying deployment of secure Internet of Things. Simplifying the creation of initial device identities is another step towards enabling IoT at scale, and allows customers to use DPS to provision devices.

Learn more about Microsoft IoT

Microsoft is simplifying IoT so every business can digitally transform through IoT solutions that are more accessible and easier to implement. Microsoft has the most comprehensive IoT portfolio with a wide range of IoT offerings to meet organizations where they are on their IoT journey, including everything businesses need to get started — ranging from operating systems for their devices, cloud services to control them, advanced analytics to gain insights, and business applications to enable intelligent action. To see how Microsoft IoT can transform your business, visit

Get started using the X.509 CA feature!