Add Certificate Management support over Azure IoT Hub by ewertons · Pull Request #1223 · Azure/azure-iot-sdk-python

ewertons · 2026-02-11T00:35:09Z

Thank you for helping us improve the Azure IoT Python SDK!

Need Support

Have a feature request for SDKs? Please post it on User Voice to help us prioritize
Have a technical question? Please see IoT support options for information on posting questions on Microsoft Q&A and Stack overflow using the "azure-iot-sdk" tag.
Need Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team
Found a bug? Please help us fix it by thoroughly documenting it and filing an issue on GitHub (See below).

Here's a little checklist of things that will help it make its way to the repository: Note that you don't have to check all the boxes, we can help you with that.
This being said, the more you do, the quicker it'll go through our gated build!
-->

Checklist

I have read the contribution guidelines.
I added or modified the existing tests to cover the change (we do not allow our test coverage to go down).
If this is a modification that impacts the behavior of a public API
- I edited the corresponding document in the devdoc folder and added or modified requirements.

Copilot

Pull request overview

Adds end-to-end certificate management support by enabling DPS registration with a CSR (to obtain an issued device cert) and enabling IoT Hub certificate re-issuance over MQTT, along with samples and supporting dev utilities.

Changes:

Extend DPS provisioning pipeline to optionally include a CSR in registration payload and surface the issued certificate chain on the registration result.
Add IoT Hub MQTT support for certificate issuance operations (CSR request/response correlation, topics, client APIs).
Add certificate management samples/docs and dev utility helpers for provisioning service operations.

Reviewed changes

Copilot reviewed 55 out of 410 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
scripts/dps_cert_mgmt/service_api_tokengen.py	Adds a helper script to generate DPS service SAS tokens
scripts/dps_cert_mgmt/device_api_tokengen.py	Adds a helper script to generate DPS device SAS tokens
scripts/create_x509_chain_crypto.py	Adds extra console output during pipeline cert generation
samples/pnp/simple_thermostat.py	Tweaks reboot handler input validation
samples/cert-mgmt/certificate_management.md	New documentation for certificate management sample/config
samples/cert-mgmt/certificate_issuance.py	New sample demonstrating DPS cert issuance + IoT Hub re-issuance
samples/async-hub-scenarios/provision_x509.py	Align env var names with provisioning sample conventions
requirements_test.txt	Adjust test dependencies for provisioning e2e/dev utils
dev_utils/dev_utils/provisioningservice/utils/sastoken.py	Adds SAS token helper for provisioning service client
dev_utils/dev_utils/provisioningservice/utils/connection_string.py	Adds connection string parsing/validation utility
dev_utils/dev_utils/provisioningservice/utils/auth.py	Adds msrest Authentication adapter for connection strings
dev_utils/dev_utils/provisioningservice/utils/init.py	Initializes provisioningservice utils package
dev_utils/dev_utils/provisioningservice/protocol/version.py	Adds API version constant for generated protocol layer
dev_utils/dev_utils/provisioningservice/protocol/models/x509_certificates.py	Generated model for X509Certificates
dev_utils/dev_utils/provisioningservice/protocol/models/x509_certificate_with_info.py	Generated model for X509CertificateWithInfo
dev_utils/dev_utils/provisioningservice/protocol/models/x509_certificate_info.py	Generated model for X509CertificateInfo
dev_utils/dev_utils/provisioningservice/protocol/models/x509_ca_references.py	Generated model for X509CAReferences
dev_utils/dev_utils/provisioningservice/protocol/models/x509_attestation.py	Generated model for X509Attestation
dev_utils/dev_utils/provisioningservice/protocol/models/twin_collection.py	Placeholder/commented generated model for TwinCollection
dev_utils/dev_utils/provisioningservice/protocol/models/tpm_attestation.py	Generated model for TpmAttestation
dev_utils/dev_utils/provisioningservice/protocol/models/symmetric_key_attestation.py	Generated model for SymmetricKeyAttestation
dev_utils/dev_utils/provisioningservice/protocol/models/reprovision_policy.py	Generated model for ReprovisionPolicy
dev_utils/dev_utils/provisioningservice/protocol/models/provisioning_service_error_details.py	Generated error model + exception type
dev_utils/dev_utils/provisioningservice/protocol/models/metadata.py	Generated model for Metadata
dev_utils/dev_utils/provisioningservice/protocol/models/initial_twin_properties.py	Generated model for InitialTwinProperties
dev_utils/dev_utils/provisioningservice/protocol/models/initial_twin.py	Generated model for InitialTwin
dev_utils/dev_utils/provisioningservice/protocol/models/individual_enrollment.py	Generated model for IndividualEnrollment incl. cert issuance policy
dev_utils/dev_utils/provisioningservice/protocol/models/enrollment_group.py	Generated model for EnrollmentGroup incl. cert issuance policy
dev_utils/dev_utils/provisioningservice/protocol/models/device_registration_state.py	Generated model for DeviceRegistrationState
dev_utils/dev_utils/provisioningservice/protocol/models/custom_allocation_definition.py	Generated model for CustomAllocationDefinition
dev_utils/dev_utils/provisioningservice/protocol/models/client_certificate_issuance_policy.py	Generated model for clientCertificateIssuancePolicy
dev_utils/dev_utils/provisioningservice/protocol/models/attestation_mechanism.py	Generated model for AttestationMechanism
dev_utils/dev_utils/provisioningservice/protocol/models/init.py	Exposes generated models via package init
dev_utils/dev_utils/provisioningservice/protocol/init.py	Exposes protocol version
dev_utils/dev_utils/provisioningservice/client.py	Adds provisioning service client based on msrest + generated models
azure-iot-device/azure/iot/device/provisioning/provisioning_device_client.py	Passes CSR through to pipeline register operation
azure-iot-device/azure/iot/device/provisioning/pipeline/pipeline_stages_provisioning.py	Adds CSR to DPS registration payload and maps issued cert chain
azure-iot-device/azure/iot/device/provisioning/pipeline/pipeline_ops_provisioning.py	Extends RegisterOperation with client CSR field
azure-iot-device/azure/iot/device/provisioning/pipeline/mqtt_pipeline.py	Extends pipeline register API to accept CSR
azure-iot-device/azure/iot/device/provisioning/models/registration_result.py	Surfaced issued client certificate chain on registration state
azure-iot-device/azure/iot/device/provisioning/aio/async_provisioning_device_client.py	Async register now passes CSR into pipeline
azure-iot-device/azure/iot/device/provisioning/abstract_provisioning_device_client.py	Adds client_certificate_signing_request property on client
azure-iot-device/azure/iot/device/iothub/sync_clients.py	Adds sync client API to send CSR to IoT Hub and receive response
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_stages_iothub_mqtt.py	Adds MQTT translation for CSR request/response topics
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_stages_iothub.py	Adds request/response correlation stage for CSR operations
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_ops_iothub.py	Adds pipeline operation type for CSR requests
azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_events_iothub.py	Adds pipeline event type for CSR responses
azure-iot-device/azure/iot/device/iothub/pipeline/mqtt_topic_iothub.py	Adds topic helpers for CSR publish/subscribe and parsing
azure-iot-device/azure/iot/device/iothub/pipeline/mqtt_pipeline.py	Adds CSR feature flag + pipeline API to send CSR
azure-iot-device/azure/iot/device/iothub/pipeline/constant.py	Adds CSR feature constant
azure-iot-device/azure/iot/device/iothub/models/certificate_signing_request.py	Adds CSR request/response model objects
azure-iot-device/azure/iot/device/iothub/models/init.py	Exposes CSR request/response models
azure-iot-device/azure/iot/device/iothub/aio/async_clients.py	Adds async client API to send CSR to IoT Hub
azure-iot-device/azure/iot/device/iothub/abstract_clients.py	Adds abstract CSR API for IoTHub clients
azure-iot-device/azure/iot/device/constant.py	Updates API version constants for IoT Hub/DPS

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

dev_utils/dev_utils/provisioningservice/utils/auth.py

samples/cert-mgmt/certificate_issuance.py

samples/pnp/simple_thermostat.py

dev_utils/dev_utils/provisioningservice/protocol/models/twin_collection.py

samples/cert-mgmt/readme.md

cartertinney

Some initial comments about API. As per our discussion, I'll look deeper at implementation.

samples/cert-mgmt/certificate_issuance.py

azure-iot-device/azure/iot/device/iothub/abstract_clients.py

azure-iot-device/azure/iot/device/iothub/models/certificate_signing_request.py

samples/cert-mgmt/readme.md

cartertinney · 2026-03-10T21:35:52Z

azure-iot-device/azure/iot/device/iothub/aio/async_clients.py

+        """
+        Sends a Certificate Signing Request to Azure IoT Hub.
+
+        :param str csr: The base64-encoded certificate signing request.


Is the string really the request? And I don't quite get what replace is. These parameters are much less explicit in name and documentation than any other API.

cartertinney · 2026-03-10T21:38:25Z

azure-iot-device/azure/iot/device/iothub/pipeline/mqtt_topic_iothub.py

    return False


+def get_certificate_signing_response_topic_for_subscribe():


Style nit: this module is organized by subscribe/publish/is_x, not by feature grouping, so these functions should be interspersed as per the existing pattern.

cartertinney · 2026-03-10T21:42:26Z

azure-iot-device/azure/iot/device/iothub/pipeline/pipeline_stages_iothub.py

            super()._run_op(op)
+
+
+class CertificateSigningRequestResponseStage(PipelineStage):


Could you throw a #TODO comment on this class indicating that it should be made more generic in the future?

cartertinney · 2026-03-10T22:00:55Z

tests/e2e/provisioning_e2e/tests/test_async_dps_cert_mgmt.py

+intermediate_common_name = "e2edpscsrintcn"
+intermediate_password = "password123"
+device_common_name = "e2edpscsr" + str(uuid.uuid4())
+device_password = "password123"


Why did we change this stuff? I'm a little concerned any change to fake/mock passwords might retrigger some kind of static analysis freakout since we had to formally define a bunch of these fake passwords as being fake.

Not a huge deal, just wondering.

+1, let's not change this if not needed.

ewertons requested review from avishekpant, cartertinney, Copilot, maximsemenov80 and olivakar February 11, 2026 00:35

Copilot AI reviewed Feb 11, 2026

View reviewed changes

ewertons force-pushed the ewertons/iot-csr-preview branch from bcd2bb8 to 1ff01c1 Compare February 11, 2026 01:02

ewertons and others added 12 commits February 11, 2026 01:37

Partial work for CSR over IoT Hub

8359207

Fix documentation

3c65f26

Implement async version of send_certificate_signing_request

f4f2115

Delete CSR sample for DPS-only, under azure-iot-device

bbbea0c

Several little fixes

8aab8d4

Partial changes to implement CSR/IoT

3b89ed9

Add stages, ops, events for CertificateSigningRequest

f13c63b

Complete CSR functionality

8cdb873

Update code documentation for CSR

c5876b6

Cleanup certificate_issuance.py (#1)

526fd2c

Add reconnection to certificate_issuance.py, cleanup

861ccd4

Update CSR sample and its documentation

340d97a

ewertons force-pushed the ewertons/iot-csr-preview branch from 1ff01c1 to 340d97a Compare February 11, 2026 01:38

Fix use of iothub_csr_data variable

e63dc1d

cartertinney reviewed Feb 11, 2026

View reviewed changes

ewertons added 8 commits March 5, 2026 11:22

Add cert mgmt pipeline yaml

76cea5c

Rename certificate_management.md -> readme.md

401577b

Address CR comments (change env var name)

07179fa

Add credentialPolicyName on enrollment creation requests

7b7b5f3

Remove previous ClientCertificateIssuancePolicy construct

158ee6e

Add env var generation cmdlet, re-enable build and tests

e1beadc

Pass private key password only if defined as a non-empty string

f831984

Adjust Dps service API version for cert mgmt (2021-10-01)

7da5ed4

ewertons added 3 commits March 8, 2026 22:55

Adjust Dps service API version for cert mgmt (try 2025-07-01-preview)

b578023

Add e2e tests for certificate signing request

a171acb

device_client.send_certificate_signing_request to take args directly

bde4ea9

cartertinney reviewed Mar 10, 2026

View reviewed changes

		return False


		def get_certificate_signing_response_topic_for_subscribe():

		super()._run_op(op)


		class CertificateSigningRequestResponseStage(PipelineStage):

Conversation

ewertons commented Feb 11, 2026

Thank you for helping us improve the Azure IoT Python SDK!

Need Support

Checklist

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

cartertinney left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

cartertinney Mar 10, 2026

Choose a reason for hiding this comment

Uh oh!

cartertinney Mar 10, 2026

Choose a reason for hiding this comment

Uh oh!

cartertinney Mar 10, 2026

Choose a reason for hiding this comment

Uh oh!

cartertinney Mar 10, 2026

Choose a reason for hiding this comment

Uh oh!

avishekpant Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants