Azure IoT guidance for DigiCert Global Root G1 trust-store updates in sovereign clouds
At a glance The technology industry is retiring trust in an older root certificate - the DigiCert Global Root G1. As operating systems, firmware images, and CA certificate bundles update over time, some clients may stop trusting this older root. This can affect both your Azure IoT devices and the applications that connect to Azure IoT service APIs. If those devices or application hosts run on Linux or rely on a system trust store that receives periodic updates, this post explains what you might see and the simple steps to stay connected. This guidance is relevant only for a subset of Azure IoT customers using Azure Government (Fairfax) or Azure China (Mooncake) environments, and only if devices or applications adopt operating system, firmware, or trust-store updates that remove trust for the DigiCert Global Root G1 certificate. Azure public cloud customers are not affected because Azure IoT public cloud endpoints already use newer certificate chains. This is a client-side trust-store change, not a security incident, service outage, or certificate expiration event. Scope: Azure public cloud customers are not affected. This guidance applies only to specific Azure Government (Fairfax) and Azure China (Mooncake) scenarios where updated client trust stores no longer trust DigiCert Global Root G1. Could this affect my deployment? For most Azure IoT customers, the answer is no. If you use Azure IoT in the Azure public (commercial) cloud, you are not affected by this change. Azure IoT public cloud endpoints already use newer certificate chains and do not rely on the DigiCert Global Root G1 certificate. This guidance is relevant only for a subset of customers using Azure Government (Fairfax) or Azure China (Mooncake) environments, and only if: Your devices or applications rely on operating system trust stores. You recently applied Linux operating system, firmware, container image, OpenSSL, NSS, or CA certificate bundle updates. You began seeing TLS connectivity or provisioning errors after those updates were installed. If your devices continue to connect normally and you have not observed any TLS-related issues following recent updates, no action is required at this time What should I do? If your devices and applications are connecting normally, no action is required. If you manage Linux-based devices or applications that rely on operating system trust stores, we recommend validating OS, firmware, and CA bundle updates in a test environment before production rollout. If connectivity issues appear following a trust-store update, contact Microsoft Support for assistance. What you may observe After an operating system, firmware, or CA-certificate-bundle update, an affected device or application may show the symptoms below. These typically appear first in test or QA environments, because fleets and application environments usually stage updates before production. Failure to connect to Azure IoT during the TLS handshake. A certificate trust, “untrusted root,” or “unknown CA” error. Telemetry, provisioning, or service-API calls stop, while clients still running the previous trust store keep working normally. Why it could happen Your device or application validates the Azure IoT server certificate against the list of trusted root certificates in its local trust store. As updates remove the older DigiCert Global Root G1 from that store, a client that still expects it may reject the connection - even though the server certificate is valid. The change is on the client side, in the trust store, not in the Azure service. What you should check If you see connectivity or provisioning failures, confirm the following: Was there a recent OS, firmware, or CA-bundle update on the affected devices or application hosts? Do clients still running the previous trust store continue to connect? If so, the cause is a trust-store change. Is the error a certificate or trust error rather than an authentication error? What we recommend A few simple steps keep your devices and applications connected through this change: Validate firmware and OS updates in a test ring before production rollout, the single most effective way to catch trust-store changes early. If clients begin failing after such an update, pause the rollout and, where feasible, roll back the update on the affected device or application host to restore connectivity. Contact Microsoft Support if you see connectivity or provisioning failures following an OS, firmware, or CA-bundle update. Support can confirm the cause and guide you through the appropriate next steps for your configuration. Questions If you have questions, contact Microsoft Support or your Microsoft account team.
Smaller updates, faster downloads with delta updates in Azure Device Update for IoT Hub
Keeping IoT fleets secure and up to date shouldn't mean shipping the full software image to every device, every time. With delta updates in Azure Device Update for IoT Hub, fleet operators can send only what has changed between versions, reducing download size, bandwidth use, and download time on most networks. In our demo below, an incremental change produced a delta ~97% smaller than the full image — a glimpse of what's possible for small, incremental changes. The timing matters. Security patch cadence keeps rising as Common Vulnerabilities and Exposures (CVEs) accumulate, more fleets (like smart meters and remote agricultural sensors) are running over metered networks such as cellular and satellite, and deployments are crossing scales where every megabyte per device adds up. At that point, full-image rollouts stop being a minor inefficiency and become a real cost and reliability problem. As part of a broader Azure IoT investment in more efficient edge-to-cloud data delivery, the new Device Update reference implementation agent 1.3.0 provides delta updates as a starting point that customers can build, validate, and integrate into their own environments. In this post, we'll walk through what delta updates are, how they work, and what else is new in 1.3.0 — including expanded Linux platform support to build on Debian 13 and Ubuntu 24.04, and new device-side visibility for tighter update control and coordination with device operations. Improving over-the-air (OTA) efficiency with delta updates When deploying OTA updates across a fleet, update size directly affects how quickly and efficiently updates move through the system. Traditional full image updates require every device to download the entire software image, even when only a small portion has changed. As deployments scale, this increases bandwidth usage and delivery overhead. Delta updates take a more efficient approach. Rather than transferring a full image each time, devices download a smaller delta artifact and reconstruct the target version locally, reducing the amount of data transferred across the fleet. By sending only what's changed between versions, delta updates improve efficiency in three ways: Less data on the network. Smaller payloads consume less bandwidth per device, and the savings multiply across large fleets. Faster downloads. Smaller artifacts reduce the time each device spends downloading the update, especially on variable or constrained networks. Lower delivery overhead at scale. With less data per rollout, teams can deliver updates more flexibly across large fleets, reducing the need to stagger deployments for bandwidth caps or capacity windows. This approach works particularly well for frequent, incremental changes such as bug fixes or small feature updates. For larger updates where most of the image has changed, or on devices with limited processing capacity, using a full image update may be more practical. How delta updates work Delta updates fit into the same Device Update deployment model you already use for full image updates. What changes is how update content is delivered and applied on the device. When you import an update into Device Update, you include both the full target update and one or more delta artifacts as part of the same update. When that update is deployed, the Device Update agent on each device picks the right path: If a compatible delta is available, the device downloads the delta, reconstructs the full target update locally, and installs it through the standard update workflow. If no compatible delta is available, the device falls back to downloading and installing the full target update. For details on integrating delta updates into your update workflow, see Deploy delta updates to devices. It guides you through generating delta artifacts on your build machine using the DiffGen reference tool, or as part of your image build process, and setting up the right components on the device to apply them. See the impact: Delta updates in action The following demo shows what a typical incremental change looks like with delta updates: a single-file change between image versions produces a 7 MB delta against a 240 MB full image — roughly a 97% reduction in data transferred for that scenario. Across 10,000 devices, that’s about ~2.3 TB less data crossing your network in a single rollout. Savings may vary depending on how much the versions have changed and how quickly the device can rebuild the full image locally, but they compound quickly at fleet scale. For example, a utility company patching firmware across hundreds of thousands of cellular-connected smart meters, or an agricultural operator updating remote field sensors over satellite links, sees carrier data costs drop significantly during each rollout. To bring this to life, the demo below shows what’s possible with delta updates — generating, deploying, and applying them on a Raspberry Pi device using Device Update for IoT Hub. Beyond delta updates: What’s new in the 1.3.0 reference implementation The 1.3.0 reference implementation also includes improvements that strengthen device-side coordination and expand Linux platform support. Coordinate updates with device workloads On many devices, updates run while the device is doing other work, such as handling sensor data, running a local UI, or managing background tasks. Without visibility into update status, device software can trigger conflicting operations or let battery-powered devices enter sleep mid-update. The 1.3.0 reference implementation helps your device software work alongside the update process rather than against it — coordinating with active updates, keeping devices awake through long downloads, and surfacing update status to local applications. A new device-local agent status API makes this possible: applications on the device can see what the Device Update agent is doing at any time, for example, whether an update is in progress. With that visibility you can: Avoid triggering operations that would conflict with an active update Keep battery-powered or low-power devices awake while an update is downloading or installing Surface update status in local applications or user interfaces Diagnose update behavior using local signals. Because the API runs locally, it works even when network connectivity is limited or intermittent. The payoff is fewer disrupted rollouts, more reliable updates across your fleet, and easier troubleshooting when something needs attention. Expanded Linux platform support The 1.3.0 reference implementation now adds Debian 13 and Ubuntu 24.04 to the Linux distributions you can already build on, including Debian 12 and Ubuntu 22.04. That gives you flexibility to work on newer OS versions without changing your existing update workflow. Call to action Ready to see the benefits? Extending and adapting the 1.3.0 reference implementation is a device-side change — existing service-side deployments and configurations stay as they are, so you can move at your own pace. Build from the Device Update for IoT Hub GitHub repository, integrate delta artifact generation into your build pipeline, and run your first delta in your next rollout to measure the bandwidth and download savings across your fleet. Learn more: Device Update for IoT Hub documentation | Microsoft Learn Deploy delta updates with Azure Device Update for IoT Hub | Microsoft Learn We’d love your feedback. Help shape the future of Azure Device Update for IoT Hub at aka.ms/dufeedback.
Azure IoT Hub with ADR (preview): Extending Azure capabilities and certificate management to IoT
Operational excellence in every industry begins by linking the physical world to the digital, enabling organizations to turn raw data from connected assets into actionable insights and real-world improvements. Azure IoT Hub and Azure IoT Operations make this possible by seamlessly integrating data from machines whether on a single factory floor or spread across the globe into a unified platform. Together, they serve as the backbone of connected operations, ensuring that assets, sensors this data is then moved to Microsoft Fabric for real-time analytics and further leveraged by AI agents to drive informed decisions. This approach lets organizations scale efficiently, unifying teams, sites, and systems under the Adaptive Cloud Strategy. It enables use of cloud-native and AI technologies across hybrid, multi-cloud, edge, and IoT environments in a single operational model. Azure IoT Hub empowers organizations to securely and reliably manage connected assets across the globe, providing real-time visibility and control over diverse operations. With proven scalability, broad device support, and robust management tools, IoT Hub delivers a unified platform for developing and operating IoT solutions. Organizations in various industries are using Azure IoT Hub to enhance their operations. In mining, sensors provide real-time safety data and support compliance. Fleet managers track equipment health to boost efficiency and prevent failures, while rail operators use GPS and vibration sensors for precise monitoring and issue detection. Ports utilize conveyor and loading system metrics to optimize scheduling and reduce delays. These examples show how Azure IoT Hub delivers actionable insights, greater safety, and operational efficiency through connected devices. As customers evolve, Azure IoT Hub continues to advance, deepening its integration with the Azure ecosystem and enabling AI-driven, connected operations for the next generation of applications. Today, we’re announcing the public preview of Azure IoT Hub integration with Azure Device Registry bringing IoT devices under the purview of Azure management plane via ARM resource representation and securing them with best-in-class Microsoft-backed X.509 certificate management capabilities. From Connected Devices to Connected Operations Ready-to-use AI platforms are enabling organizations to unlock untapped operational data and gain deeper insights. Organizations are leveraging AI to unify machine and enterprise data, extract actionable insights, and translate them into measurable business gains. They are broadly transitioning from connected devices that simply gather and transmit telemetry, to connected operations which empower supervisors and AI agents to interpret events and respond to scenarios in real time. The integration of Azure IoT Hub with ADR enhancements extends the comprehensive capabilities of Azure to IoT devices. With this integration, Azure Device Registry (ADR) acts as the unified control plane for managing both physical assets from Azure IoT Operations and devices from Azure IoT Hub. It provides a centralized registry, ensuring every entity whether an industrial asset or a connected device is uniquely represented and managed throughout its lifecycle. By integrating with Azure IoT Hub, ADR enables consistent device onboarding, certificate management, and operational visibility at scale. This integration simplifies large-scale IoT fleet management and supports compliance and auditability across diverse deployments. What’s New in this Preview We’re excited to announce the public preview of new capabilities that bring IoT devices into the broader Azure ecosystem. This integration allows IoT to be managed at scale through the Azure management plane. It also strengthens security and enables consistent governance across large deployments: Deep integration with Azure: The Azure Device Registry (ADR) now offers a unified control plane, simplifying identity, security, and policy management for millions of devices. New ADR features make it easier to register, classify, and monitor devices, supporting consistent governance and better operational insights. Combined with Device Provisioning Service (DPS), these enhancements help reduce deployment challenges, speed up time-to-value, and lower operational risks. With IoT Hub integration, IoT Hub devices are represented as Azure resources, providing: One unified registry across multiple IoT Hubs and Azure IoT Operations (AIO) instances. ARM-based management for all Azure resources from cloud to edge. A consolidated view of the entire IoT fleet, simplifying large-scale deployments, monitoring and management. Certificate lifecycle management: Now in public preview, this capability enables secure onboarding and automated certificate rotation for IoT devices, directly integrated with ADR and IoT Hub. X.509 certificates are widely recognized for providing a robust security posture by establishing trusted, cryptographically verifiable device identities. Starting today, customers can use a Microsoft-backed PKI to issue X.509 certificates across their IoT fleets. Devices receive operational certificates that authenticate with IoT Hub, chained to Certificate Authorities (CAs). Policy-driven lifecycle management makes certificate renewal simpler and keeps state in sync with your Hubs. This integration sets the stage for Physical AI by connecting digital and physical systems, thus unlocking new possibilities for data and artificial intelligence. Customer feedback from Private Preview This release has received positive feedback from private preview customers. Particularly the Microsoft-supported PKI and certificate management capabilities, highlighting that previous manual processes were inefficient and fragmented. Customers further noted the advantages of grouping devices from multiple IoT Hubs under a unified namespace, which streamlined management. Moreover, the integration of certificate management within ADR has diminished the reliance on custom solutions. “We were genuinely impressed by how seamless it was to implement. With just a few clicks, clear policy definitions, and two calls in firmware, the entire process became automated, frictionless, and reliable with no external dependencies.” – Uriel Kluk, CTO, Mesh Systems Why It Matters These investments make Azure IoT Hub the cornerstone for connected operations at scale, empowering customers to: Reduce manual cert ops with policy‑driven rotation (fewer outages due to expired certs). Consolidate device registry in ADR for cross‑hub fleet governance. Accelerate compliance audits with centralized certificate lineage. Apply advanced AI tooling for predictive insights and automation. Call to Action Explore the new capabilities in public preview today and start building the next generation of connected operations with Azure IoT Hub and ADR. Learn more on Azure IoT Hub documentationAutomatic IoT Edge Certificate Management with GlobalSign EST
(Republish from Feb 15, 2023) When it comes to managing IoT devices, security is of the utmost importance. But you’d also rest easier if devices are secure without concern about manual certificate management. In this post, we'll show you a solution that streamlines IoT Edge certificate management using GlobalSign's IoT Edge Enroll EST service. An Analogy Think of each IoT Edge device as a new driver, ready to hit the road and communicate with the IoT Hub. And like a new driver, each device needs its own set of credentials that need renewal. Here's how GlobalSign's EST service makes it a breeze: Birth Certificate: During manufacturing, each device is given a unique Initial Device Identifier (IDevID) certificate and private key (ideally, something like Trusted Computing Group’s (TCG) Trusted Platform Module’s (TPM) Endorsement Key (EK) certificates with factory burnt secured hardware backed private keys). This is like the device's birth certificate, proving its identity. Driver's License: When the device connects for the first time, it uses its IDevID to authenticate with GlobalSign for certificate signing request (CSR). In return, GlobalSign provides a short-lived Locally Significant Device Identifier (LDevID) certificate from a trusted root CA. This LDevID acts as the device's driver's license, allowing it to operate for some time. The LDevID serves as the device's unique identifier in IoT Hub, registered through Device Provisioning Service (DPS). Automatic Renewal: To make sure your devices never lose their communication privileges, IoT Edge automatically renews the LDevID certificates before expiration. Like a driver license renewal, but automated! By using GlobalSign's EST service, you can enjoy secure certificate management for your IoT Edge devices. It's like having a personal assistant renewing your driver's license for you. Give it a try to start streamlining your IoT Edge certificate management. Prerequisites An IoT hub and Device Provisioning Service linked to it. A GlobalSign demo account: Sign up for Test Your Azure IoT Edge PoC with live device certificates from GlobalSign's IoT Edge Enroll. You'll receive an email with details for your EST server endpoint within a few days, including three endpoints (IDevID, LDevID, and Edge CA). Reply to the GlobalSign contact and ask to: Enable X.509 authentication (mTLS) for both the LDevID and the Edge CA endpoints Turn off “re-enrollment forcing” (the default behavior with GlobalSign IoT Edge Enroll is that it notices that a previously issued certificate was presented and "upgrade" the request to the reenrollment workflow. This overrides the subject CN to be the same as the previously issued certificate. Typically, customers would use a separate CA for the bootstrap/idevid, so in practice this outcome usually wouldn't be seen. But for simplicity of this post, it’s easier to ask GlobalSign to respect the certificate signing request (CSR) and not perform the “upgrade”). Linux machine, VM, or device with IoT Edge installed: Don't provision the IoT Edge device identity. Create the IDevID In this section, we create the IDevID certificate, which serves as the device's birth certificate. It’s a one-time process that occurs during device manufacturing, and ensures that the initial secret value for first-time authentication to GlobalSign never leaves the factory. Later, when the device wakes up, it will use the IDevID certificate to get a driver's license, or the LDevID certificate. On your local machine or SSH into the IoT Edge device, create directories to store certificates and private keys for IoT Edge and assign ownership of these directories to the "aziotcs" certificate service and "aziotks" key service. sudo mkdir -p /var/aziot/secrets sudo mkdir /var/aziot/certs -p Retrieve the GlobalSign demo root CA certificate with curl and convert it to PEM format using openssl. This certificate serves as the common root of trust between IoT Edge, GlobalSign, and DPS (and thus IoT Hub). curl https://<YOUR-IDEVID-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/cacerts| openssl base64 -d | openssl pkcs7 -inform DER -outform PEM -print_certs | openssl x509 -out globalsign-root.cert.pem Use openssl to create a new private key and certificate signing request (CSR). openssl req -nodes -new -subj /CN=IDevID -sha256 -keyout IDevID.key.pem -out IDevID.csr Send the CSR to GlobalSign's simple enroll EST endpoint using curl, to obtain the IDevID certificate that is signed with the root CA and paired with the private key created earlier. curl -X POST --data-binary "@IDevID.csr" -H "Content-Transfer-Encoding:base64" -H "Secret-Value: <YOUR-SECRET-VALUE>" -H "Content-Type:application/pkcs10" https://<YOUR-IDEVID-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/simpleenroll | openssl base64 -d | openssl pkcs7 -inform DER -outform PEM -print_certs | openssl x509 -out IDevID.cert.pem Move the certificates and private keys to the directories you created earlier, and give the IoT Edge certificate and key services the appropriate permissions to the PEM files and directories. sudo cp *cert.pem /var/aziot/certs sudo cp *key.pem /var/aziot/secrets sudo chown aziotcs:aziotcs /var/aziot/certs/*.cert.pem sudo chmod 644 /var/aziot/certs/*.cert.pem sudo chown aziotks:aziotks /var/aziot/secrets/*.key.pem sudo chmod 600 /var/aziot/secrets/*.key.pem sudo chown aziotcs:aziotcs /var/aziot/certs sudo chmod 755 /var/aziot/certs sudo chown aziotks:aziotks /var/aziot/secrets sudo chmod 700 /var/aziot/secrets Use the ls command to verify that the files are in place with the proper permissions and match the expected values. $ sudo ls -lR /var/aziot /var/aziot: total 8 drwxr-xr-x 2 aziotcs aziotcs 4096 Jan 11 14:38 certs drwx------ 2 aziotks aziotks 4096 Jan 11 14:38 secrets /var/aziot/certs: total 8 -rw-r--r-- 1 aziotcs aziotcs 1298 Jan 11 14:38 IDevID.cert.pem -rw-r--r-- 1 aziotcs aziotcs 1383 Jan 11 14:38 globalsign-root.cert.pem /var/aziot/secrets: total 4 -rw------- 1 aziotks aziotks 1704 Jan 11 14:38 IDevID.key.pem Prepare DPS for provisioning Here's how to get DPS ready for device provisioning: If you haven’t already done so, create an IoT hub and DPS, then link them together. Go to the DPS instance in Azure portal, then select Certificates > Add. In the pop-up, select your GlobalSign EST root CA certificate. You can use SFTP, VS Code Remote Extension to copy it from the IoT Edge device, or use curl to get it again. Select Set certificate status to verified on upload so that you can skip proof-of-possession. Click Save. Create a DPS enrollment group. Make sure attestation type is set to Certificate, IoT Edge device is set to True, certificate type is set to CA Certificate, and the root CA you just uploaded is set as the Primary Certificate. Now, your DPS is ready to provision the IoT Edge device when it wakes up, using the root CA certificate as the trusted source of authentication. Configure and start the IoT Edge device In this section, we set up the IoT Edge device with its birth certificate (IDevID) to communicate with the GlobalSign EST server and receive its driver license (LDevID). The LDevID allows the device to talk to DPS and get the proper authorization for communication with IoT Hub. On the IoT Edge device, create a config file config.toml. Replace marked parameters with details from your GlobalSign account and DPS. # The CA cert of the demo root we got from earlier [cert_issuance.est] trusted_certs = ["file:///var/aziot/certs/globalsign-root.cert.pem"] # Empty because the LDevID (device ID) and Edge CA endpoints are different [cert_issuance.est.urls] # Use the IDevID cert and private key for authentication to EST [cert_issuance.est.auth] identity_cert = "file:///var/aziot/certs/IDevID.cert.pem" identity_pk = "file:///var/aziot/secrets/IDevID.key.pem" # DPS provisioning with X.509 certificate # Replace with ID Scope from your DPS [provisioning] source = "dps" global_endpoint = "https://global.azure-devices-provisioning.net" id_scope = "<DPS-ID-SCOPE e.g 0AB12345678>" [provisioning.attestation] method = "x509" registration_id = "my-device-id" # Get LDevID (device ID) cert from EST with auto renew [provisioning.attestation.identity_cert] method = "est" common_name = "my-device-id" url = "https://<YOUR-LDEVID-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/" [provisioning.attestation.identity_cert.auto_renew] threshold = "80%" retry = "4%" # Get Edge CA from EST also with auto renew [edge_ca] method = "est" url = "https://<YOUR-EDGE-CA-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/" [edge_ca.auto_renew] threshold = "80%" retry = "4%" Copy the file over as root and apply configuration with iotedge config apply. This also starts the IoT Edge device. sudo cp config.toml /etc/aziot/config.toml sudo iotedge config apply Verify that the configuration was successful by using the iotedge check command. You should see successful checks on the connection with DPS and the status of certificates and keys. You can also check in your DPS Enrollment Group > Registration Records or IoT Hub to see that the IoT Edge device is registered (shown below). Note: if you haven’t configured an IoT Edge deployment, you might see an error about edgeHub container being missing in iotedge check and a 417 in IoT Hub. That’s normal until you add the deployment via Set modules. On the device, check the new certificates from the EST server. In the "/var/lib/aziot/certd/certs" directory, you should see three different certificates starting with "estid", "aziotedgeca", and "deviceid". Use OpenSSL to inspect them. Note: the certificate names are randomly generated, use "ls" to find their names and paste them into the OpenSSL command. sudo ls /var/lib/aziot/certd/certs sudo openssl x509 -text -in /var/lib/aziot/certd/certs/estid-<GUID>.cer sudo openssl x509 -text -in /var/lib/aziot/certd/certs/aziotedgedca-<GUID>.cer sudo openssl x509 -text -in /var/lib/aziot/certd/certs/deviceid-<GUID>.cer sudo openssl x509 -in /var/aziot/certs/IDevID.cert.pem -text | head -n 10 That’s it! When the time (80% to expiration) comes, IoT Edge will automatically renew both the device ID and the Edge CA certificates without manual intervention. Simplify IoT Edge Security This blog showed how to configure IoT Edge devices for secure communication using X.509 certificates without the need for manual certificate management. By using this approach, organizations can securely and efficiently manage their IoT Edge devices at scale, streamlining device enrollment and reducing the risk of security breaches. To adapt the example to fit your needs, consider the following: Security level: Your security requirements may vary based on your use case. Consider whether a unique IDevID certificate per device is necessary or if sharing the same certificate among multiple devices is acceptable. It's important to never store the initial EST secret value on the device in plaintext. Comprehensive security: For a more robust security approach, refer to The blueprint to securely solve the elusive zero-touch provisioning of IoT devices at scale | Azure. Dev/test scenarios: IoT Edge also supports basic authentication (username/password) for EST servers. To Restart If you need to restart midway through, stop the IoT Edge service first, delete any certificates and keys that were generated, reapply the config, and restart IoT Edge. sudo iotedge system stop sudo sh -c "rm /var/lib/aziot/certd/certs/*" sudo sh -c "rm /var/lib/aziot/keyd/keys/*" sudo cp config.toml /etc/aziot/config.toml sudo iotedge config apply sudo iotedge system logs -- -f
