X.509 Bootstrap (XBoot) for Azure Device Provisioning Service

X.509 Bootstrap (aka XBoot) is a reference application that allows IoT device builders to have a generic firmware loaded onto their devices at time of manufacturing and avoid the cost of "touching" each device to install individual x.509 certificates, during or post-manufacturing.

For IoT device builders wanting to use x.509 certificates to authenticate their devices with IoT Hub, the Azure Device Provisioning Service (DPS) provisioning process assumes you already have a process to install the certificates on the devices. This is where XBoot comes in!

With XBoot, when the IoT device starts up, the device generates an x.509 certificate signing request (CSR) using the (optional) XBoot.Client .NET SDK, sends the CSR to the XBoot.Server REST endpoint, and receives a signed x.509 certificate back. At this point, the XBoot process is complete. The certificate can now be used by the device as part of the standard Azure DPS attestation process and to authenticate with Azure IoT Hub.

I developed XBoot after seeing several partners struggle with developing a process and tooling to generate and install individual x.509 certificates on IoT devices, at scale, with few (or no) changes to their existing manufacturing processes.

XBoot is open source and available at khilscher/xboot: X.509 Bootstrap (github.com). The GitHub repo also has instructions for generating your own signing certificates. It was developed as a reference application for you to develop your own solution. It is not an end-to-end solution for you to use in production.

I look forward to your feedback.