Device Fleet provisioning in Azure IoT Central

It is easy to provision an individual IoT device in Azure IoT Central. All you need is to create a Device Template, to register a new device, and connect it using chosen authorization mechanism. But what to do if you need to provision hundreds or thousands of IoT devices? I will show you how to do that.

We will implement the following architectural pattern:

Devices will be registered in Azure IoT Central automatically by Device Provisioning Service (DPS). No need to create devices in the AIC explicitly, all the more so because there could be thousands of such devices. But, to make it work, we’ll need to fulfill some prerequisites:

  • Create a device template, which will be used by device twins
  • Generate a root certificate used in a group enrollment
  • Create a group enrollment
  • Generate device certificates.

Let’s start with the first point.

Create a device template

First, we need a device template, which will be automatically associated with our devices, when they connect to the IoT Central.

Open Azure IoT Central and select your AIC application (or create a new one). Select “Device templates” tab in “App settings” of the application, and create a custom template for IoT device. I created a simple “WindSpeed” template with one property:

WindSpeed device template

Save the template and publish it.

Later, we’ll need a model ID, which is used by Azure IoT Central to associate a device with the correct device template. Click on the “View identity” button to open a template identity panel:

Identity

“Interface @id” field contains model ID (dtmi:jpTelemetry002:WindSpeed6f2;1). Copy and save this value in a text file for future use.

Generate a root certificate

In order to provide a group enrollment of our devices, we’ll be using X.509 certificates as the recommended device authentication mechanism for IoT Central. Thus, we need to generate an X.509 root certificate for our enrollment group. The process is described in the Generate root and device cert article. But I would suggest to make some changes in this process. First steps are the same: clone the GitHub repository for the certificate generation scripts and install the required packages:

git clone https://github.com/Azure/azure-iot-sdk-node.git
cd azure-iot-sdk-node/provisioning/tools
npm install

But then, I would recommend to open the create_test_cert.js script in an editor, and change the number of days before expiration to 365 in line 70:

  days: 365,

And then, you can create a root certificate:

node create_test_cert.js root mytestrootcert

Create a group enrollment

Open “Administration” -> “Device connection” panel. Copy and save ID scope for future use:

Press the “Create enrollment group” button to create a new enrollment group with an attestation type of Certificates (X.509):

Open the enrollment group you created and press the “Manage Primary” button. Upload the root certificate mytestrootcert_cert.pem you generated previously:

To complete the verification, generate the verification code and use it to create a verification certificate. Run the script:

node create_test_cert.js verification --ca mytestrootcert_cert.pem --key mytestrootcert_key.pem --nonce {verification-code}

Upload the verification certificate verification_cert.pem to complete the verification process. Now your primary root certificate is verified, and can be used to generate derived device certificates.

Generate device certificates

Each device needs its own leaf certificate, which is derived from the root or intermediate certificate. Run the script to generate a device certificate:

node create_test_cert.js device device-01 mytestrootcert

The script will create three files:

device01_cert.pem
device01_key.pem
device01_fullchain.pem

Pay attention to that device-01 is a unique device identifier, which can contain letters, numbers, and the ‘-‘ character. Upon successful enrollment, this X.509 device will appear as device-01 in the “Devices” panel.

To check a device ID of an existing leaf certificate, you can copy the certificate and give the “.crt” extension. For example, copy the device01_cert.pem to device01_cert.crt and open it to see its CNAME value, containing device id:

The code

Clone the azure-iot-blog GitHub repository:

git clone https://github.com/jevgenij-p/azure-iot-blog.git

Change current working directory to iot-central/device-fleet. Copy device certificate files, you created, to this directory.

Open the set_env.bat (or set_env.sh if you are working on Linux) in an editor, and replace values of PROVISIONING_IDSCOPE, DPS_X509_REGISTRATION_ID, MODEL_ID, X509_CERT_FILE, X509_KEY_FILE with the values you saved before.

Run the set_env.bat (or set_env.sh) script to set environment variables.

Run the program, provisioning the device-01 and sending simulated telemetry to the IoT Central:

python3 provision_x509.py

Program output will look like so:

Open your Azure IoT Central application, and select “Devices” tab. You should see your device:

Click on the device name to see its telemetry:

Conclusion

Now you’ve learned how to provision a large number of devices in your IoT Central application without need to register each device manually.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s