Set up an Azure IoT Hub for Azure Sphere with the Device Provisioning Service

The Azure IoT Hub Device Provisioning Service (DPS) can enable any device that is claimed into your Azure Sphere catalog to connect to your Azure IoT Hub instance when it first comes online and authenticates using an X.509 certificate.

Before you begin

The steps in this section assume that:

Authenticate using the Device Provisioning Service

Follow these steps to configure your device to authenticate using the Device Provisioning Service (DPS).

Important

If you choose to test an Azure IoT-based application that uses DPS, be aware that DPS charges $0.123 per 1000 operations; that is, 12.3 U.S. cents per one thousand operations. We expect that the free credit applied to many new subscriptions will cover any DPS charges, but we recommend that you check the details of your subscription agreement. For pricing information, see Azure IoT Hub pricing.

  1. Sign in to the Azure portal.
  2. Create a Device Provisioning Service.
  3. Link your existing Azure IoT Hub instance to your DPS.

Step 2. Download the catalog authentication CA certificate

  1. From the command prompt, sign in with your Azure login:

    az login
    
  2. Download the catalog CA certificate for your Azure Sphere catalog. This command downloads the certificate to a file named CAcertificate.cer in the current working directory. Ensure that you download the file to a directory where you have write permissions, or the download operation will fail. The output file must have a .cer extension.

    az sphere ca-certificate download --resource-group MyResourceGroup --catalog MyCatalog --output-file CACertificate.cer
    

Step 3. Upload and prove possession of the catalog CA certificate

Upload your catalog certification authority (CA) certificate to DPS, then automatically or manually prove that you own the certificate.

  1. In the Azure Portal, navigate to the DPS you created.
  2. Select Certificates in the Settings section.
  3. Select Add to add a new certificate.
  4. In Certificate name, enter a display name for the certificate.
  5. In Certificate .pem or .cer file, select the folder icon to choose the certificate file you downloaded in the previous step.
  6. Prove possession of a CA certificate using one of the following methods:

Verify certificate automatically

To add a certificate and automatically verify it (prove possession of the catalog CA certificate):

  1. In the Add certificate box, check the box for Set certificate status to verified on upload.
  2. After verification, the status of your certificate changes to Verified in the Certificates list view. Select Refresh if the status does not update automatically.

Automatic verification

Next, proceed to Step 4: Use the validation certificate to add your device to an enrollment group.

Verify certificate manually

To add a certificate and manually verify it (prove possession of the catalog CA certificate):

  1. Get a unique verification code from the Azure portal.
  2. Download the proof-of-possession certificate that proves you own the catalog CA certificate from the Azure CLI.
  3. Upload the signed verification certificate on the Azure portal. The service validates the verification certificate using the public portion of the CA certificate to be verified, thus proving that you are in possession of the CA certificate's private key.

Get a unique verification code from the Azure portal

  1. After you have selected a certificate in the Add certificate blade, leave the box Set certificate status to verified on upload unchecked. Select Save.

  2. The Certificates list view shows your certificates. The Status of the certificate you created is Unverified.

    Unverified Certificate

  3. Select the name of your certificate to display its details. In the Certificates blade, select Generate verification code. Copy the verification code to your clipboard for use in the next step. (Do not select Verify yet.)

    Verify certificate-direct connection

Download a proof-of-possession certificate that proves you own the catalog CA certificate

Return to the Azure CLI and download a proof-of-possession certificate for your Azure Sphere catalog. Use the verification code to generate the certificate as an X.509 .cer file.

az sphere ca-certificate download-proof --destination ValidationCertification.cer --verification-code <code>

Upload the signed verification certificate

The Azure Sphere Security Service signs the validation certificate with the verification code to prove that you own the CA.

  1. From Certificates on the Azure Portal, in the Verification certificate .pem or .cer file field, browse to select and upload the signed verification certificate. The certificate is located in the directory in which you invoked the download command.

  2. When the certificate is successfully uploaded, select Verify.

    Upload certificate verification-direct connection

  3. After verification, the status of your certificate changes to Verified in the Certificates list view. Select Refresh if the status does not update automatically.

Note

Perform Steps 1-3 only once per Azure Sphere catalog.

Step 4. Use the validation certificate to add your device to an enrollment group

  1. In the Settings section, select Manage enrollments, then Add enrollment group.

  2. In the Add Enrollment Group pane:

    • Enter a name for your enrollment group.
    • Select Certificate as the Attestation type and CA Certificate as the Certificate type.
    • From the dropdown list in Primary certificate, select the certificate that you validated in the previous step.
  3. Select Save at the top of the page. After successful creation of your enrollment group, you should see the group name appear under the Enrollment Groups tab.

Next steps

After you complete these steps, any device that is claimed into your Azure Sphere catalog is automatically enrolled in your Azure IoT Hub instance when it first connects to your device.

You can now run the Azure IoT sample, following the instructions specific to connecting via DPS.

Additional information

To use direct authentication instead of DPS, see Set up an IoT hub for Azure Sphere.