使用 X.509 证书创建和预配 IoT Edge 设备Create and provision an IoT Edge device using X.509 certificates

借助 Azure IoT 中心设备预配服务 (DPS),可以使用 X.509 证书自动预配 IoT Edge 设备。With the Azure IoT Hub Device Provisioning Service (DPS), you can automatically provision IoT Edge devices using X.509 certificates. 如果你不熟悉自动预配过程,请在继续操作之前查看自动预配的概念If you're unfamiliar with the process of auto-provisioning, review the auto-provisioning concepts before continuing.

本文介绍如何通过以下步骤,在 IoT Edge 设备上使用 X.509 证书创建设备预配服务注册:This article shows you how to create a Device Provisioning Service enrollment using X.509 certificates on an IoT Edge device with the following steps:

  • 生成证书和密钥。Generate certificates and keys.
  • 为某个设备创建单个注册,或者为一组设备创建组注册。Create either an individual enrollment for a device, or a group enrollment for a set of devices.
  • 安装 IoT Edge 运行时并将设备注册到 IoT 中心。Install the IoT Edge runtime and register the device with IoT Hub.

将 X.509 证书用作一种证明机制是扩大生产规模和简化设备设置的极佳途径。Using X.509 certificates as an attestation mechanism is an excellent way to scale production and simplify device provisioning. X.509 证书通常排列在证书信任链中。Typically, X.509 certificates are arranged in a certificate chain of trust. 从自签名证书或受信任的根证书开始,证书链中的每个证书为下一级证书签名。Starting with a self-signed or trusted root certificate, each certificate in the chain signs the next lower certificate. 此模式创建了从设备上安装的根证书到每个中间证书,再到最终“叶”证书的委托信任链。This pattern creates a delegated chain of trust from the root certificate down through each intermediate certificate to the final "leaf" certificate installed on a device.

先决条件Prerequisites

  • 活动的 IoT 中心。An active IoT Hub.
  • 一个充当 IoT Edge 设备的物理设备或虚拟设备。A physical or virtual device to be the IoT Edge device.
  • 已安装最新版本的 GitThe latest version of Git installed.
  • Azure 中的一个 IoT 中心设备预配服务实例,该实例已链接到 IoT 中心。An instance of the IoT Hub Device Provisioning Service in Azure, linked to your IoT hub.
    • 如果你没有设备预配服务实例,请按照设置 IoT 中心 DPS 中的说明设置一个。If you don't have a Device Provisioning Service instance, follow the instructions in Set up the IoT Hub DPS.
    • 运行设备预配服务后,从概述页复制“ID 范围”的值。 After you have the Device Provisioning Service running, copy the value of ID Scope from the overview page. 配置 IoT Edge 运行时时,需要使用此值。You use this value when you configure the IoT Edge runtime.

生成设备标识证书Generate device identity certificates

设备标识证书是通过证书信任链连接到顶级 X.509 证书颁发机构 (CA) 证书的叶证书。The device identity certificate is a leaf certificate that connects through a certificate chain of trust to the top X.509 certificate authority (CA) certificate. 设备标识证书的公用名 (CN) 必须设置为该设备在 IoT 中心内使用的设备 ID。The device identity certificate must have it common name (CN) set to the device ID that you want the device to have in your IoT hub.

设备标识证书仅用于预配 IoT Edge 设备,以及通过 Azure IoT 中心对设备进行身份验证。Device identity certificates are only used for provisioning the IoT Edge device and authenticating the device with Azure IoT Hub. 设备标识证书不是签名证书,这与 CA 证书不同,后者是 IoT Edge 设备向模块或叶设备提供的用于验证的证书。They aren't signing certificates, unlike the CA certificates that the IoT Edge device presents to modules or leaf devices for verification. 有关详细信息,请参阅 Azure IoT Edge 证书用法详细信息For more information, see Azure IoT Edge certificate usage detail.

创建设备标识证书后,应会获得两个文件:一个包含证书公共部分的 .cer 或 .pem 文件,一个包含证书私钥的 .cer 或 .pem 文件。After you create the device identity certificate, you should have two files: a .cer or .pem file that contains the public portion of the certificate, and a .cer or .pem file with the private key of the certificate. 如果你打算在 DPS 中使用组注册,则还需要提供同一证书信任链中某个中间证书或根 CA 证书的公共部分。If you plan to use group enrollment in DPS, you also need the public portion of an intermediate or root CA certificate in the same certificate chain of trust.

若要使用 X.509 设置自动预配,需要以下文件:You need the following files to set up automatic provisioning with X.509:

  • 设备标识证书及其私钥证书。The device identity certificate and its private key certificate. 如果创建单个注册,则设备标识证书会上传到 DPS。The device identity certificate is uploaded to DPS if you create an individual enrollment. 私钥会传递到 IoT Edge 运行时。The private key is passed to the IoT Edge runtime.
  • 完整链证书,其中应至少包含设备标识和中间证书。A full chain certificate, which should have at least the device identity and the intermediate certificates in it. 完整链证书会传递到 IoT Edge 运行时。The full chain certificate is passed to the IoT Edge runtime.
  • 证书信任链中的中间或根 CA 证书。An intermediate or root CA certificate from the certificate chain of trust. 如果创建组注册,则此证书会上传到 DPS。This certificate is uploaded to DPS if you create a group enrollment.

备注

目前,存在一个 libiothsm 限制,会阻止使用在 2050 年 1 月 1 日或之后过期的证书。Currently, a limitation in libiothsm prevents the use of certificates that expire on or after January 1, 2050.

使用测试证书Use test certificates

如果你没有可用于创建新标识证书的证书颁发机构,但想要尝试此方案,可以使用 Azure IoT Edge Git 存储库中包含的脚本来生成测试证书。If you don't have a certificate authority available to create new identity certs and want to try out this scenario, the Azure IoT Edge git repository contains scripts that you can use to generate test certificates. 这些证书仅用于开发测试,不得在生产环境中使用。These certificates are designed for development testing only, and must not be used in production.

若要创建测试证书,请遵循创建演示证书用于测试 IoT Edge 设备功能中的步骤。To create test certificates, follow the steps in Create demo certificates to test IoT Edge device features. 请完成其中的两个必要部分来设置证书生成脚本,并创建根 CA 证书。Complete the two required sections to set up the certificate generation scripts and to create a root CA certificate. 然后,遵循相应的步骤创建设备标识证书。Then, follow the steps to create a device identity certificate. 完成后,应会获得以下证书链和密钥对:When you're finished, you should have the following certificate chain and key pair:

Linux:Linux:

  • <WRKDIR>/certs/iot-edge-device-identity-<name>-full-chain.cert.pem
  • <WRKDIR>/private/iot-edge-device-identity-<name>.key.pem

Windows:Windows:

  • <WRKDIR>\certs\iot-edge-device-identity-<name>-full-chain.cert.pem
  • <WRKDIR>\private\iot-edge-device-identity-<name>.key.pem

需要在 IoT Edge 设备上使用这两个证书。You need both these certificates on the IoT Edge device. 若要在 DPS 中使用单独的注册,需要上传 .cert.pem 文件。If you're going to use individual enrollment in DPS, then you will upload the .cert.pem file. 若要在 DPS 中使用组注册,则还需要上传同一证书信任链中的某个中间证书或根 CA 证书。If you're going to use group enrollment in DPS, then you also need an intermediate or root CA certificate in the same certificate chain of trust to upload. 如果使用演示证书,请将 <WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem 证书用于组注册。If you're using demo certs, use the <WRKDIR>\certs\azure-iot-test-only.root.ca.cert.pem certificate for group enrollment.

创建 DPS 单独注册Create a DPS individual enrollment

使用生成的证书和密钥在 DPS 中为单个 IoT Edge 设备创建单独注册。Use your generated certificates and keys to create an individual enrollment in DPS for a single IoT Edge device. 单独注册采用设备标识证书的公共部分,并将其与设备上的证书进行匹配。Individual enrollments take the public portion of a device's identity certificate and match that to the certificate on the device.

若要预配多个 IoT Edge 设备,请遵循下一部分创建 DPS 组注册中的步骤。If you're looking to provision multiple IoT Edge devices, follow the steps in the next section, Create a DPS group enrollment.

在 DPS 中创建注册时,可以声明“初始设备孪生状态”。 When you create an enrollment in DPS, you have the opportunity to declare an Initial Device Twin State. 在设备孪生中可以设置标记,以便按解决方案中所需的任何指标(例如区域、环境、位置或设备类型)将设备分组。In the device twin, you can set tags to group devices by any metric you need in your solution, like region, environment, location, or device type. 这些标记用于创建自动部署These tags are used to create automatic deployments.

有关设备预配服务中的注册的详细信息,请参阅如何管理设备注册For more information about enrollments in the Device Provisioning Service, see How to manage device enrollments.

提示

在 Azure CLI 中,可以创建注册注册组,并使用“支持 Edge” 标志来指定某个设备或设备组是 IoT Edge 设备。In the Azure CLI, you can create an enrollment or an enrollment group and use the edge-enabled flag to specify that a device, or group of devices, is an IoT Edge device.

  1. Azure 门户中,导航到 IoT 中心设备预配服务的实例。In the Azure portal, navigate to your instance of IoT Hub Device Provisioning Service.

  2. 在“设置”下,选择“管理注册”。 Under Settings, select Manage enrollments.

  3. 选择“添加个人注册”,然后完成以下步骤以配置注册: Select Add individual enrollment then complete the following steps to configure the enrollment:

    • 机制:选择“X.509”。 Mechanism: Select X.509.

    • 主要证书 .pem 或 .cer 文件:上传设备标识证书中的公共文件。Primary Certificate .pem or .cer file: Upload the public file from the device identity certificate. 如果使用脚本生成了测试证书,请选择以下文件:If you used the scripts to generate a test certificate, choose the following file:

      <WRKDIR>/certs/iot-edge-device-identity-<name>.cert.pem

    • IoT 中心设备 ID:根据需要,为设备提供一个 ID。IoT Hub Device ID: Provide an ID for your device if you'd like. 可以使用设备 ID 将单个设备指定为模块部署的目标。You can use device IDs to target an individual device for module deployment. 如果未提供设备 ID,将使用 X.509 证书中的公用名 (CN)。If you don't provide a device ID, the common name (CN) in the X.509 certificate is used.

    • IoT Edge 设备:选择“True”,声明该注册适用于 IoT Edge 设备。 IoT Edge device: Select True to declare that the enrollment is for an IoT Edge device.

    • 选择此设备可分配到的 IoT 中心:选择要将设备连接到的链接 IoT 中心。Select the IoT hubs this device can be assigned to: Choose the linked IoT hub that you want to connect your device to. 可以选择多个中心,设备将根据所选的分配策略分配到其中的一个中心。You can choose multiple hubs, and the device will be assigned to one of them according to the selected allocation policy.

    • 初始设备孪生状态:如果需要,请添加要添加到设备孪生的标记值。Initial Device Twin State: Add a tag value to be added to the device twin if you'd like. 可以使用标记将设备组指定为自动部署的目标。You can use tags to target groups of devices for automatic deployment. 例如:For example:

      {
          "tags": {
             "environment": "test"
          },
          "properties": {
             "desired": {}
          }
      }
      
  4. 选择“保存” 。Select Save.

既然此设备已存在注册,IoT Edge 运行时在安装期间可以自动预配设备。Now that an enrollment exists for this device, the IoT Edge runtime can automatically provision the device during installation. 转到安装 IoT Edge 运行时部分来设置 IoT Edge 设备。Continue to the Install the IoT Edge runtime section to set up your IoT Edge device.

创建 DPS 组注册Create a DPS group enrollment

使用生成的证书和密钥在 DPS 中为多个 IoT Edge 设备创建组注册。Use your generated certificates and keys to create a group enrollment in DPS for multiple IoT Edge devices. 组注册使用证书信任链中的某个中间证书或根 CA 证书,该证书用于生成单个设备标识证书。Group enrollments use an intermediate or root CA certificate from the certificate chain of trust used to generate the individual device identity certificates.

若要预配单个 IoT Edge 设备,请遵循前一部分创建 DPS 单独注册中的步骤。If you're looking to provision a single IoT Edge device instead, follow the steps in the previous section, Create a DPS individual enrollment.

在 DPS 中创建注册时,可以声明“初始设备孪生状态”。 When you create an enrollment in DPS, you have the opportunity to declare an Initial Device Twin State. 在设备孪生中可以设置标记,以便按解决方案中所需的任何指标(例如区域、环境、位置或设备类型)将设备分组。In the device twin, you can set tags to group devices by any metric you need in your solution, like region, environment, location, or device type. 这些标记用于创建自动部署These tags are used to create automatic deployments.

验证根证书Verify your root certificate

创建注册组时,可以选择使用已验证的证书。When you create an enrollment group, you have the option of using a verified certificate. 可以在 DPS 通过证明你拥有根证书来验证某个证书。You can verify a certificate with DPS by proving that you have ownership of the root certificate. 有关详细信息,请参阅如何对 X.509 CA 证书执行所有权证明For more information, see How to do proof-of-possession for X.509 CA certificates.

  1. Azure 门户中,导航到 IoT 中心设备预配服务的实例。In the Azure portal, navigate to your instance of IoT Hub Device Provisioning Service.

  2. 在左侧菜单中选择“证书”。 Select Certificates from the left-hand menu.

  3. 选择“添加”以添加新证书。 Select Add to add a new certificate.

  4. 输入证书的易记名称,然后浏览到表示 X.509 证书公共部分的 .cer 或 .pem 文件。Enter a friendly name for your certificate, then browse to the .cer or .pem file that represents the public part of your X.509 certificate.

    如果使用演示证书,请上传 <wrkdir>/certs/azure-iot-test-only.root.ca.cert.pem 证书。If you're using the demo certificates, upload the <wrkdir>/certs/azure-iot-test-only.root.ca.cert.pem certificate.

  5. 选择“保存” 。Select Save.

  6. 该证书现在应会列在“证书”页上。 Your certificate should now be listed on the Certificates page. 选择该证书打开其详细信息。Select it to open the certificate details.

  7. 选择“生成验证码”,然后复制生成的代码。 Select Generate Verification Code then copy the generated code.

  8. 无论你是使用自己的 CA 证书还是演示证书,都可以使用 IoT Edge 存储库中提供的验证工具来执行所有权证明。Whether you brought your own CA certificate or are using the demo certificates, you can use the verification tool provided in the IoT Edge repository to verify proof of possession. 验证工具将使用你的 CA 证书,来为使用提供的验证码作为使用者名称的新证书签名。The verification tool uses your CA certificate to sign a new certificate that has the provided verification code as the subject name.

    • Windows:Windows:

      New-CACertsVerificationCert "<verification code>"
      
    • Linux:Linux:

      ./certGen.sh create_verification_certificate <verification code>
      
  9. 在 Azure 门户上的相同证书详细信息页中,上传新生成的验证证书。In the same certificate details page in the Azure portal, upload the newly generated verification certificate.

  10. 选择“验证” 。Select Verify.

创建注册组Create enrollment group

有关设备预配服务中的注册的详细信息,请参阅如何管理设备注册For more information about enrollments in the Device Provisioning Service, see How to manage device enrollments.

  1. Azure 门户中,导航到 IoT 中心设备预配服务的实例。In the Azure portal, navigate to your instance of IoT Hub Device Provisioning Service.

  2. 在“设置”下,选择“管理注册”。 Under Settings, select Manage enrollments.

  3. 选择“添加注册组”,然后完成以下步骤以配置注册: Select Add enrollment group then complete the following steps to configure the enrollment:

    • 组名称:为此组注册提供一个易记的名称。Group name: Provide a memorable name for this group enrollment.

    • 证明类型:选择“证书”。 Attestation Type: Select Certificate.

    • IoT Edge 设备:选择“True”。 IoT Edge device: Select True. 对于组注册,所有设备必须是 IoT Edge 设备,或者都不是 IoT Edge 设备。For a group enrollment, all devices must be IoT Edge devices or none of them can be.

    • 证书类型:如果 DPS 中已存储了你的某个已验证 CA 证书,请选择“CA 证书”;如果你只是想要为此注册上传新文件,请选择“中间证书”。 Certificate Type: Select CA Certificate if you have a verified CA certificate stored with DPS, or Intermediate Certificate if you want to upload a new file for just this enrollment.

    • 主要证书:如果在上一部分选择了“CA 证书”,请从下拉列表中选择证书。Primary certificate: If you chose CA certificate in the last section, choose your certificate from the dropdown list. 如果选择了“中间证书”,请上传证书信任链中用于生成设备标识证书的 CA 证书中的公共文件。If you chose intermediate certificate, upload the public file from a CA certificate in the certificate chain of trust that was used to generate the device identity certificates.

    • 选择此设备可分配到的 IoT 中心:选择要将设备连接到的链接 IoT 中心。Select the IoT hubs this device can be assigned to: Choose the linked IoT hub that you want to connect your device to. 可以选择多个中心,设备将根据所选的分配策略分配到其中的一个中心。You can choose multiple hubs, and the device will be assigned to one of them according to the selected allocation policy.

    • 初始设备孪生状态:如果需要,请添加要添加到设备孪生的标记值。Initial Device Twin State: Add a tag value to be added to the device twin if you'd like. 可以使用标记将设备组指定为自动部署的目标。You can use tags to target groups of devices for automatic deployment. 例如:For example:

      {
          "tags": {
             "environment": "test"
          },
          "properties": {
             "desired": {}
          }
      }
      
  4. 选择“保存” 。Select Save.

既然此设备已存在注册,IoT Edge 运行时在安装期间可以自动预配设备。Now that an enrollment exists for this device, the IoT Edge runtime can automatically provision the device during installation. 转到下一部分来设置 IoT Edge 设备。Continue to the next section to set up your IoT Edge device.

安装 IoT Edge 运行时Install the IoT Edge runtime

IoT Edge 运行时部署在所有 IoT Edge 设备上。The IoT Edge runtime is deployed on all IoT Edge devices. 该运行时的组件在容器中运行,允许你将其他容器部署到设备,以便在边缘上运行代码。Its components run in containers, and allow you to deploy additional containers to the device so that you can run code at the edge.

只有 IoT Edge 1.0.9 或更高版本才支持使用 DPS 进行的 X.509 预配。X.509 provisioning with DPS is only supported in IoT Edge version 1.0.9 or newer.

预配设备时需要以下信息:You'll need the following information when provisioning your device:

  • DPS 的“ID 范围”值。 The DPS ID Scope value. 可以从 Azure 门户中 DPS 实例的概述页检索此值。You can retrieve this value from the overview page of your DPS instance in the Azure portal.
  • 设备上的设备标识证书链文件。The device identity certificate chain file on the device.
  • 设备上的设备标识密钥文件。The device identity key file on the device.
  • 一个可选的注册 ID(如果未提供,将从设备标识证书中的公用名提取)。An optional registration ID (pulled from the common name in the device identity certificate if not supplied).

Linux 设备Linux device

使用以下链接,运行适用于你的设备体系结构的命令在设备上安装 Azure IoT Edge 运行时。Use the following link to install the Azure IoT Edge runtime on your device, using the commands appropriate for your device's architecture. 转到有关配置安全守护程序的部分时,将会配置用于 X.509 自动预配(而不是手动预配)的 IoT Edge 运行时。When you get to the section on configuring the security daemon, configure the IoT Edge runtime for X.509 automatic, not manual, provisioning. 完成本文的前面各个部分后,应已获得所需的全部信息和证书文件。You should have all the information and certificate files that you need after completing the previous sections of this article.

在 Linux 上安装 Azure IoT Edge 运行时Install the Azure IoT Edge runtime on Linux

将 X.509 证书和密钥信息添加到 config.yaml 文件时,应以文件 URI 的形式提供路径。When you add the X.509 certificate and key information to the config.yaml file, the paths should be provided as file URIs. 例如:For example:

  • file:///<path>/identity_certificate_chain.pem
  • file:///<path>/identity_key.pem

配置文件中用于 X.509 自动预配的节如下所示:The section in the configuration file for X.509 automatic provisioning looks like this:

# DPS X.509 provisioning configuration
provisioning:
  source: "dps"
  global_endpoint: "https://global.azure-devices-provisioning.cn"
  scope_id: "<SCOPE_ID>"
  attestation:
    method: "x509"
#   registration_id: "<OPTIONAL REGISTRATION ID. LEAVE COMMENTED OUT TO REGISTER WITH CN OF identity_cert>"
    identity_cert: "<REQUIRED URI TO DEVICE IDENTITY CERTIFICATE>"
    identity_pk: "<REQUIRED URI TO DEVICE IDENTITY PRIVATE KEY>"

请将 scope_ididentity_certidentity_pk 的占位符值替换为你的 DPS 实例中的范围 ID,以及证书链和密钥文件在设备上的位置的 URI。Replace the placeholder values for scope_id, identity_cert, identity_pk with the scope ID from your DPS instance, and the URIs to the cert chain and key file locations on your device. 如果需要,请提供设备的 registration_id,或者保持注释掉此行,以使用标识证书的 CN 名称注册设备。Provide a registration_id for the device if you want, or leave this line commented out to register the device with the CN name of the identity certificate.

更新 config.yaml 文件后,请始终重启安全守护程序。Always restart the security daemon after updating the config.yaml file.

sudo systemctl restart iotedge

Windows 设备Windows device

将 IoT Edge 运行时安装在你为其生成了标识证书链和标识密钥的设备上。Install the IoT Edge runtime on the device for which you generated the identity certificate chain and identity key. 将 IoT Edge 运行时配置为自动预配而不是手动预配。You'll configure the IoT Edge runtime for automatic, not manual, provisioning.

有关在 Windows 上安装 IoT Edge 的更多详细信息,包括管理容器和更新 IoT Edge 等任务的先决条件和说明,请参阅在 Windows 上安装 Azure IoT Edge 运行时For more detailed information about installing IoT Edge on Windows, including prerequisites and instructions for tasks like managing containers and updating IoT Edge, see Install the Azure IoT Edge runtime on Windows.

  1. 在管理员模式下打开 PowerShell 窗口。Open a PowerShell window in administrator mode. 在安装 IoT Edge 而不是 PowerShell (x86) 时,请确保使用 PowerShell 的 AMD64 会话。Be sure to use an AMD64 session of PowerShell when installing IoT Edge, not PowerShell (x86).

  2. Deploy-IoTEdge 命令检查 Windows 计算机是否使用了支持的版本,启用容器功能,然后下载 moby 运行时和 IoT Edge 运行时。The Deploy-IoTEdge command checks that your Windows machine is on a supported version, turns on the containers feature, and then downloads the moby runtime and the IoT Edge runtime. 该命令默认使用 Windows 容器。The command defaults to using Windows containers.

    . {Invoke-WebRequest -useb https://aka.ms/iotedge-win} | Invoke-Expression; `
    Deploy-IoTEdge
    
  3. 此时,IoT Core 设备可能会自动重启。At this point, IoT Core devices may restart automatically. 其他 Windows 10 或 Windows Server 设备可能会提示你重启。Other Windows 10 or Windows Server devices may prompt you to restart. 如果是这样,请立即重启设备。If so, restart your device now. 设备准备就绪后,再次以管理员身份运行 PowerShell。Once your device is ready, run PowerShell as an administrator again.

  4. Initialize-IoTEdge 命令在计算机上配置 IoT Edge 运行时 。The Initialize-IoTEdge command configures the IoT Edge runtime on your machine. 除非通过 -Dps 标志使用自动预配,否则该命令默认为使用手动预配。The command defaults to manual provisioning unless you use the -Dps flag to use automatic provisioning.

    请将 {scope_id}{identity cert chain path}{identity key path} 的占位符值替换为 DPS 实例中的相应值,以及设备上的文件路径。Replace the placeholder values for {scope_id}, {identity cert chain path}, and {identity key path} with the appropriate values from your DPS instance and the file paths on your device. 若要指定注册 ID,请同时包含 -RegistrationId {registration_id},并根据需要替换占位符。If you want to specify the registration ID, include -RegistrationId {registration_id} as well, replacing the placeholder as appropriate.

    . {Invoke-WebRequest -useb https://aka.ms/iotedge-win} | Invoke-Expression; `
    Initialize-IoTEdge -Dps -ScopeId {scope ID} -X509IdentityCertificate {identity cert chain path} -X509IdentityPrivateKey {identity key path}
    

    提示

    config.yaml 文件以文件 URI 的形式存储证书和密钥信息。The config.yaml file stores your certificate and key information as file URIs. 但是,Initialize-IoTEdge 命令将为你处理此格式设置步骤,因此,可以提供证书和密钥文件在设备上的绝对路径。However, the Initialize-IoTEdge command handles this formatting step for you, so you can provide the absolute path to the certificate and key files on your device.

验证是否成功安装Verify successful installation

如果运行时成功启动,则可以进入 IoT 中心,开始将 IoT Edge 模块部署到你的设备。If the runtime started successfully, you can go into your IoT Hub and start deploying IoT Edge modules to your device.

可以验证是否使用了在设备预配服务中创建的个人注册。You can verify that the individual enrollment that you created in Device Provisioning Service was used. 在 Azure 门户中导航到设备预配服务实例。Navigate to your Device Provisioning Service instance in the Azure portal. 打开创建的个人注册的注册详细信息。Open the enrollment details for the individual enrollment that you created. 注意注册状态是否为“已分配”并且设备 ID 已列出。 Notice that the status of the enrollment is assigned and the device ID is listed.

在设备上使用以下命令验证是否已成功安装并启动运行时。Use the following commands on your device to verify that the runtime installed and started successfully.

Linux 设备Linux device

检查 IoT Edge 服务的状态。Check the status of the IoT Edge service.

systemctl status iotedge

检查服务日志。Examine service logs.

journalctl -u iotedge --no-pager --no-full

列出正在运行的模块。List running modules.

iotedge list

Windows 设备Windows device

检查 IoT Edge 服务的状态。Check the status of the IoT Edge service.

Get-Service iotedge

检查服务日志。Examine service logs.

. {Invoke-WebRequest -useb aka.ms/iotedge-win} | Invoke-Expression; Get-IoTEdgeLog

列出正在运行的模块。List running modules.

iotedge list

后续步骤Next steps

使用设备预配服务注册过程可以在预配新设备的同时,设置设备 ID 和设备孪生标记。The Device Provisioning Service enrollment process lets you set the device ID and device twin tags at the same time as you provision the new device. 可以在自动设备管理中,使用这些值将单个设备或设备组指定为目标。You can use those values to target individual devices or groups of devices using automatic device management. 了解如何使用 Azure 门户大规模部署和监视 IoT Edge 模块,或使用 Azure CLI 执行此操作。Learn how to Deploy and monitor IoT Edge modules at scale using the Azure portal or using Azure CLI.