Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to create or edit a policy within your Azure Device Registry (ADR) namespace to manage an issuing CA signed by your namespace's unique root CA.
Use this workflow if you want ADR to provide a fully managed public key infrastructure (PKI) for your namespace. When a device requests a certificate, the platform returns a full certificate chain consisting of:
The device certificate: Unique to the specific IoT device.
The issuing CA (ICA): The CA managed by ADR that signs the device request.
The namespace root CA: The unique, namespace-level root managed by the credential resource.
Your device identities are cryptographically scoped to their namespace, providing high tenant isolation and a simplified management experience without the need for an external private PKI.
Important
Azure IoT Hub with ADR integration and Microsoft-backed X.509 certificate management is in public preview and isn't recommended for production workloads. For more information, see the FAQ: What is new in IoT Hub?
In certificate management, a credential manages the namespace-level root CA, and a policy manages the issuing CA that signs device certificates.
Prerequisites
Before you begin, make sure you have:
- An active Azure subscription. If you don't have one, create a free account.
- An existing ADR namespace. For setup steps, see Deploy Azure IoT Hub with ADR integration.
- A configured credential in the ADR namespace. For setup steps, see Configure a credential in Azure Device Registry.
- Permissions to manage policies in the ADR namespace, such as the Azure Device Registry Credentials Contributor role.
Create a policy
You can create a policy by using the Azure portal or the Azure CLI. In this preview workflow, use the Azure portal when you need to change the validity period for an existing policy.
Create a policy by using the Azure portal
Sign in to the Azure portal.
Open your Azure Device Registry namespace.
In the sidebar menu, under Namespace resources, select Credential policies.
Select Create Policy.
In the Basics tab, complete the fields as follows:
Property Value Name Enter a unique name for your policy. The name must be between 3 and 50 alphanumeric characters and can include hyphens ( '-').Validity period (days) Enter the number of days the issued certificates are valid. Select a Root CA for certificates in this policy Accept the default value, Use this namespace's Microsoft-issued Root CA (Default). 
Select Next, then Review + create.
Refresh the Policies list if needed, and verify that the new policy appears.
Edit a policy
Edit an existing policy to update its validity period when security or operational requirements change.
In the sidebar menu of your ADR namespace, under Namespace resources, select Credential policies.
Select the policy that you want to edit.
On the Overview page, select edit next to Validity period.
Change the Validity period value.
Select Save.
Refresh the page to verify that the updated validity period appears.
Synchronize the credential
Synchronize your new or updated policy.
In the sidebar menu of your ADR namespace, under Namespace resources, select Credential policies.
Select Sync all, and then Yes.
