A mechanism for secure enrollment of devices with a cloud platform is provided. This serves as a foundation for securing devices, such as edge computing and internet-of-things gateways, that can be provisioned and managed from the cloud. A public key infrastructure mechanism is provided for enrollment that is split into three phases. The first and second phases of the secure enrollment process authenticate the device and ensure that the device is within agreed to manufacturing limits for the device manufacturer. The third phase of the secure enrollment process provides a long-term operating certification to the device for cloud resource access.