all Technical posts

How to Achieve True End-to-End IoT Security with Azure

Internet of Things or IoT refers to a collection of managed and platform services across Edge and cloud that connect, monitor, and control billions of IoT assets. It also includes security and operating systems for devices and equipment, along with data and analytics that help businesses to build, deploy, and manage IoT applications. Automated cars, coffee machines, smart lights, and Smartwatches, — the world is full of IoT devices. These devices are running on advanced communication platforms and cloud computing solutions that enable seamless integration of devices, applications, services, networks, and gateways. The complexity, however, also raises the risk of security challenges.

There are several reasons why IoT devices and the security related to them are more challenging nowadays.

  1. Data is in the cloud platform.
  2. IoT devices are available on the market, which makes it easier for hackers to understand the architecture.
  3. Creating fake device identities becomes easier for hackers.
  4. Inadequate standards with the E2E IoT solution.

Microsoft believes in achieving true end-to-end IoT security with Azure

Obviously, it is not easy to select the right security when one deals with IoT device authentication. Every device has some hardware limitations and cost is also one of the major factors.

Securing the Azure IoT deployment can be divided into the following three security areas:

  • Device Security: Securing the IoT device while it is deployed
  • Connection Security: Ensuring all data transmitted between the IoT device and IoT Hub is confidential and tamper-proof.
  • Cloud Security: Providing a means to secure data while it moves through and is stored in the cloud.

In this blog, I will explain what the X.509 certificate is and how it can be authenticated to IoT hub.

X.509 certificates

The X.509 CA feature enables device authentication to IoT Hub using a Certificate Authority (CA). The certificate can be purchased or created. For PROD, it is recommended that users purchase from public root CA. Further X.509 CA certificates can be registered to IoT Hub where they will be used to authenticate your devices during registration and connection

  • Obtain the X.509 CA certificate. In this step, a public/private key pair is generated and signed into a certificate.

The process of creating an X.509 certificate locally will help a developer to test the scenarios where purchasing the certificate is not possible from a cost perspective. Microsoft has provided the script which will create test certificates locally:

Below, two certificates are created.

The above two certificates are required to authenticate the device. The extension cer is used to enroll the device, and pfx is required to identify the device identity and provision the device on IoT Hub.

  • Register the X.509 certificate to IoT Hub.

Registering the X.509 CA certificate is a two-step process: certificate upload and proof-of-possession.

  • Sign devices into a certificate chain of trust.

X.509 CA certificate authentication offers elegant solutions to the aforelisted challenges through the use of certificate chains. A certificate chain results from a CA signing an intermediate CA that in turn signs another intermediate CA and so goes on until a final intermediate CA signs a device.

  • Device Connection.

Devices manufactured for X.509 CA authentication are equipped with device unique certificates and a certificate chain from their respective manufacturing supply chain. Device connection, even for the very first time, happens in a two-step process: certificate chain upload and proof-of-possession.

Just as with the X.509 CA registration process, IoT Hub would initiate a proof-of-possession challenge-response process to ascertain that the chain and hence device certificate actually belongs to the device uploading it. It does so by generating a random challenge to be signed by the device using its private key for validation by IoT Hub. A successful response triggers IoT Hub to accept the device as authentic and grant it a connection.


The above diagrams are based on the Microsoft documentation.


Subscribe to our RSS feed

Thanks, we've sent the link to your inbox

Invalid email address


Your download should start shortly!

Stay in Touch - Subscribe to Our Newsletter

Keep up to date with industry trends, events and the latest customer stories

Invalid email address


Great you’re on the list!