Set up Azure IoT Central to work with Azure Sphere

This topic documents the steps to set up Azure IoT Central to work with Azure Sphere.

After you have completed the tasks in this topic, any device that is claimed into your Azure Sphere tenant is automatically authenticated when it first connects to your Azure IoT Central application. Therefore, you only need to complete these steps once.

Before you begin

The steps in this section assume that:

• Your Azure Sphere device is connected to your PC by USB.
• You have an Azure subscription.

Overview

Setting up Azure IoT Central to work with Azure Sphere devices requires a multi-step process:

1. Create an Azure IoT Central application.
2. Download the authentication CA certificate for your Azure Sphere tenant from the Azure Sphere Security Service.
3. Upload the CA certificate to Azure IoT Central to tell it that you own all devices whose certificates are signed by this CA. In return, Azure IoT Central returns a verification code.
4. Generate and download a validation certificate from the Azure Sphere Security Service, which signs the verification code.
5. Upload the validation certificate to prove to Azure IoT Central that you own the CA.

Step 1. Create an Azure IoT Central application

1. Sign in to Azure IoT Central with your Azure credentials.

2. If you do not already have an application, follow the steps in Create an Azure IoT Central application. Stop when you reach the Register a device section.

Important

Azure IoT Central offers a 7-day free trial application. After 7 days, applications incur charges based on the number of devices and messages. The Azure IoT Central pricing page provides details.

Step 2. Download the tenant authentication CA certificate

1. From the command prompt, sign in with your Azure Sphere login:

   azsphere login
   

2. Download the Certificate Authority (CA) certificate for your Azure Sphere tenant. This command downloads the certificate to a file named CAcertificate.cer in the current working directory. Ensure that you download the file to a directory in which you have write permission, or the download operation will fail. The output file must have a .cer extension.

   Azure Sphere CLI

   azsphere ca-certificate download --destination CAcertificate.cer
   

   Azure Sphere classic CLI

   azsphere ca-certificate download --output CAcertificate.cer
   

   Note: The Azure Sphere classic CLI is retiring. We recommend using the new Azure Sphere CLI.

Step 3. Upload the tenant CA certificate to Azure IoT Central and generate a verification code

1. Open your IoT Central application. Under the Security section, select Permissions, then Device connection groups.

2. Select + New to create an enrollment group (such as MyX509Group) with an attestation type of Certificates (X.509). Select Save.

3. In the enrollment group that you created, scroll down to Manage Primary.

4. In Primary, select the file icon to upload the root certificate file that you generated in the previous step. An alert indicates that the certificate needs verification.

5. To complete the verification, select Generate verification code, copy the code, then use the following steps 4 and 5 to verify the intermediate X.509 certificate.

Step 4. Verify the tenant CA certificate

1. Return to the command prompt.

2. Use the following command to download a validation certificate that proves that you own the tenant CA certificate. Replace <code> in the command with the verification code from the previous step.

   Azure Sphere CLI

   azsphere ca-certificate download-proof --destination ValidationCertification.cer --verification-code <code>
   

   Azure Sphere classic CLI

   azsphere ca-certificate download-proof --output ValidationCertification.cer --verificationcode <code>
   

   Note: The Azure Sphere classic CLI is retiring. We recommend using the new Azure Sphere CLI.

   The Azure Sphere Security Service signs the validation certificate with the verification code to prove that you own the CA.

Step 5. Use the validation certificate to verify the tenant identity

1. Return to Azure IoT Central and select Verify.

2. When prompted, navigate to the validation certificate that you downloaded in the previous step and select it. Select Close to dismiss the dialog box. After verification, the status of your certificate changes to Verified in the Certificates (X.509) list view.

3. Select Save to save your changes.

Next steps

After you complete these steps, any device that is claimed into your Azure Sphere tenant is automatically accessible to your Azure IoT Central application.

You can now run the Azure IoT sample or use Azure IoT Central to monitor and control any of your Azure Sphere devices.