Add Certificate Management support over Azure IoT Hub

[ewertons]

Thank you for helping us improve the Azure IoT Python SDK!

Need Support

• Have a feature request for SDKs? Please post it on User Voice to help us prioritize
• Have a technical question? Please see IoT support options for information on posting questions on Microsoft Q&A and Stack overflow using the "azure-iot-sdk" tag.
• Need Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team
• Found a bug? Please help us fix it by thoroughly documenting it and filing an issue on GitHub (See below).

Here's a little checklist of things that will help it make its way to the repository: Note that you don't have to check all the boxes, we can help you with that.
This being said, the more you do, the quicker it'll go through our gated build!
-->

Checklist

• I have read the contribution guidelines.
• I added or modified the existing tests to cover the change (we do not allow our test coverage to go down).
• If this is a modification that impacts the behavior of a public API
  • I edited the corresponding document in the devdoc folder and added or modified requirements.

[Copilot]

Pull request overview

Adds end-to-end certificate management support by enabling DPS registration with a CSR (to obtain an issued device cert) and enabling IoT Hub certificate re-issuance over MQTT, along with samples and supporting dev utilities.

Changes:

• Extend DPS provisioning pipeline to optionally include a CSR in registration payload and surface the issued certificate chain on the registration result.
• Add IoT Hub MQTT support for certificate issuance operations (CSR request/response correlation, topics, client APIs).
• Add certificate management samples/docs and dev utility helpers for provisioning service operations.

Reviewed changes

Copilot reviewed 55 out of 410 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
scripts/dps_cert_mgmt/service_api_tokengen.py	Adds a helper script to generate DPS service SAS tokens
scripts/dps_cert_mgmt/device_api_tokengen.py	Adds a helper script to generate DPS device SAS tokens
scripts/create_x509_chain_crypto.py	Adds extra console output during pipeline cert generation
samples/pnp/simple_thermostat.py	Tweaks reboot handler input validation
samples/cert-mgmt/certificate_management.md	New documentation for certificate management sample/config
samples/cert-mgmt/certificate_issuance.py	New sample demonstrating DPS cert issuance + IoT Hub re-issuance
samples/async-hub-scenarios/provision_x509.py	Align env var names with provisioning sample conventions
requirements_test.txt	Adjust test dependencies for provisioning e2e/dev utils
dev_utils/dev_utils/provisioningservice/utils/sastoken.py	Adds SAS token helper for provisioning service client
dev_utils/dev_utils/provisioningservice/utils/connection_string.py	Adds connection string parsing/validation utility
dev_utils/dev_utils/provisioningservice/utils/auth.py	Adds msrest Authentication adapter for connection strings
dev_utils/dev_utils/provisioningservice/utils/init.py	Initializes provisioningservice utils package
dev_utils/dev_utils/provisioningservice/protocol/version.py	Adds API version constant for generated protocol layer
dev_utils/dev_utils/provisioningservice/protocol/models/x509_certificates.py	Generated model for X509Certificates
dev_utils/dev_utils/provisioningservice/protocol/models/x509_certificate_with_info.py	Generated model for X509CertificateWithInfo
dev_utils/dev_utils/provisioningservice/protocol/models/x509_certificate_info.py	Generated model for X509CertificateInfo
dev_utils/dev_utils/provisioningservice/protocol/models/x509_ca_references.py	Generated model for X509CAReferences
dev_utils/dev_utils/provisioningservice/protocol/models/x509_attestation.py	Generated model for X509Attestation
dev_utils/dev_utils/provisioningservice/protocol/models/twin_collection.py	Placeholder/commented generated model for TwinCollection
dev_utils/dev_utils/provisioningservice/protocol/models/tpm_attestation.py	Generated model for TpmAttestation
dev_utils/dev_utils/provisioningservice/protocol/models/symmetric_key_attestation.py	Generated model for SymmetricKeyAttestation
dev_utils/dev_utils/provisioningservice/protocol/models/reprovision_policy.py	Generated model for ReprovisionPolicy
dev_utils/dev_utils/provisioningservice/protocol/models/provisioning_service_error_details.py	Generated error model + exception type
dev_utils/dev_utils/provisioningservice/protocol/models/metadata.py	Generated model for Metadata
dev_utils/dev_utils/provisioningservice/protocol/models/initial_twin_properties.py	Generated model for InitialTwinProperties
dev_utils/dev_utils/provisioningservice/protocol/models/initial_twin.py	Generated model for InitialTwin
dev_utils/dev_utils/provisioningservice/protocol/models/individual_enrollment.py	Generated model for IndividualEnrollment incl. cert issuance policy
dev_utils/dev_utils/provisioningservice/protocol/models/enrollment_group.py	Generated model for EnrollmentGroup incl. cert issuance policy
dev_utils/dev_utils/provisioningservice/protocol/models/device_registration_state.py	Generated model for DeviceRegistrationState
dev_utils/dev_utils/provisioningservice/protocol/models/custom_allocation_definition.py	Generated model for CustomAllocationDefinition
dev_utils/dev_utils/provisioningservice/protocol/models/client_certificate_issuance_policy.py	Generated model for clientCertificateIssuancePolicy
dev_utils/dev_utils/provisioningservice/protocol/models/attestation_mechanism.py	Generated model for AttestationMechanism
dev_utils/dev_utils/provisioningservice/protocol/models/init.py	Exposes generated models via package init
dev_utils/dev_utils/provisioningservice/protocol/init.py	Exposes protocol version
dev_utils/dev_utils/provisioningservice/client.py	Adds provisioning service client based on msrest + generated models
azure-iot-device/azure/iot/device/provisioning/provisioning_device_client.py	Passes CSR through to pipeline register operation
azure-iot-device/azure/iot/device/provisioning/pipeline/pipeline_stages_provisioning.py	Adds CSR to DPS registration payload and maps issued cert chain
azure-iot-device/azure/iot/device/provisioning/pipeline/pipeline_ops_provisioning.py	Extends RegisterOperation with client CSR field
azure-iot-device/azure/iot/device/provisioning/pipeline/mqtt_pipeline.py	Extends pipeline register API to accept CSR
azure-iot-device/azure/iot/device/provisioning/models/registration_result.py	Surfaced issued client certificate chain on registration state
azure-iot-device/azure/iot/device/provisioning/aio/async_provisioning_device_client.py	Async register now passes CSR into pipeline
azure-iot-device/azure/iot/device/provisioning/abstract_provisioning_device_client.py	Adds client_certificate_signing_request property on client
azure-iot-device/azure/iot/device/iothub/sync_clients.py	Adds sync client API to send CSR to IoT Hub and receive response
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_stages_iothub_mqtt.py	Adds MQTT translation for CSR request/response topics
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_stages_iothub.py	Adds request/response correlation stage for CSR operations
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_ops_iothub.py	Adds pipeline operation type for CSR requests
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_events_iothub.py	Adds pipeline event type for CSR responses
azure-iot-device/azure/iot/device/iothub/pipeline/mqtt_topic_iothub.py	Adds topic helpers for CSR publish/subscribe and parsing
azure-iot-device/azure/iot/device/iothub/pipeline/mqtt_pipeline.py	Adds CSR feature flag + pipeline API to send CSR
azure-iot-device/azure/iot/device/iothub/pipeline/constant.py	Adds CSR feature constant
azure-iot-device/azure/iot/device/iothub/models/certificate_signing_request.py	Adds CSR request/response model objects
azure-iot-device/azure/iot/device/iothub/models/init.py	Exposes CSR request/response models
azure-iot-device/azure/iot/device/iothub/aio/async_clients.py	Adds async client API to send CSR to IoT Hub
azure-iot-device/azure/iot/device/iothub/abstract_clients.py	Adds abstract CSR API for IoTHub clients
azure-iot-device/azure/iot/device/constant.py	Updates API version constants for IoT Hub/DPS

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cartertinney]

Some initial comments about API. As per our discussion, I'll look deeper at implementation.