Azure IoT Edge: How to Set Force No Passwords in Config

When setting up Azure IoT Edge, you will most likely want to use an external config file. If you run iotedgectl setup with the --config-file option and don’t want to force passwords with the --auto-cert-gen-force-no-passwords option, you will get the following message:

INFO: Generating self signed certificates at: C:\ProgramData\azure-iot-edge\certs      

You are being prompted to enter a passphrase for the Edge Device private key.

To prevent this prompt from appearing, enter the passphrase via the command
line options --device-ca-passphrase or --device-ca-passphrase-file.
- If you choose not to supply any passphrases, use command line option
- If using --config-file to setup the runtime, setup the input file
with the same options described above.
Press CTRL-C at anytime to exit.
Please enter the Edge Device private key passphrase. Length should be >= 4 and <= 1023:

The message doesn’t tell you exactly what you need to do to get around this.

Here’s what you need to do:

  1. Open your config file. See example here
  2. Find the security.certificates.selfSigned.forceNoPasswords setting and set it to true
  3. Re-run iotedgectl setup
"deployment": {
"docker": {
"edgeRuntimeImage": "[[enter ACR URI]]/azureiotedge-agent:1.0-preview",
"loggingOptions": {
"log-driver": "json-file",
"log-opts": {
"max-size": "10m"
"registries": [
"address": "[[enter ACR URI]]",
"password": "[[enter ACR password]]",
"username": "[[enter ACR username]]"
"uri": "unix:///var/run/docker.sock"
"type": "docker"
"deviceConnectionString": "[[enter device connection string]]",
"homeDir": "C:\\ProgramData\\azure-iot-edge",
"hostName": "[[enter hostname]]",
"logLevel": "info",
"schemaVersion": "1",
"security": {
"certificates": {
"option": "selfSigned",
"preInstalled": {
"deviceCACertificateFilePath": "",
"serverCertificateFilePath": ""
"selfSigned": {
"forceNoPasswords": true,
"forceRegenerate": false