Set up an Azure IoT Hub for Azure Sphere with the Device Provisioning Service

  • Article

The Azure IoT Hub Device Provisioning Service (DPS) can enable any device that is claimed into your Azure Sphere tenant to connect to your Azure IoT Hub instance when it first comes online and authenticates using an X.509 certificate.

To use direct authentication instead of DPS, see Set up an IoT hub for Azure Sphere.

Before you begin

The steps in this section assume that:

Authenticate using the Device Provisioning Service

Follow these steps to configure your device to authenticate using the Device Provisioning Service (DPS).

Important

If you choose to test an Azure IoT-based application that uses DPS, be aware that DPS charges $0.123 per 1000 operations; that is, 12.3 U.S. cents per one thousand operations. We expect that the free credit applied to many new subscriptions will cover any DPS charges, but we recommend that you check the details of your subscription agreement. For pricing information, see Azure IoT Hub pricing.

  1. Sign in to the Azure portal.
  2. Create a Device Provisioning Service.
  3. Link your existing Azure IoT Hub instance to your DPS.

Step 2. Download the tenant authentication CA certificate

  1. From the command prompt, sign in with your Azure Sphere login:

    azsphere login

  2. Download the tenant CA certificate for your Azure Sphere tenant. This command downloads the certificate to a file named CAcertificate.cer in the current working directory. Ensure that you download the file to a directory where you have write permissions, or the download operation will fail. The output file must have a .cer extension.

    azsphere ca-certificate download --destination CAcertificate.cer

Step 3. Upload and prove possession of the tenant CA certificate

Upload your tenant certification authority (CA) certificate to DPS, then automatically or manually prove that you own the certificate.

  1. In the Azure Portal, navigate to the DPS you created.
  2. Select Certificates in the Settings section.
  3. Select Add to add a new certificate.
  4. In Certificate name, enter a display name for the certificate.
  5. In Certificate .pem or .cer file, select the folder icon to choose the certificate file you downloaded in the previous step.

Next you will need to prove possession of a CA (Certificate Authority) certificate. The Azure Sphere tenant certificate authority can automatically be verified by Azure. Other certificate authorities must be verified manually.

To add a certificate and automatically verify it (prove possession of the tenant CA certificate):

  1. In the Add certificate pane, check the box for Set certificate status to verified on upload.
  2. Select Save at the bottom of the pane.

After verification, the status of your certificate changes to Verified in the Certificates list view. Select Refresh if the status does not update automatically.

Step 4. Use the validation certificate to add your device to an enrollment group

  1. In the Settings section, select Manage enrollments, then + Add enrollment group.

  2. On the Registration + provisioning tab of the Add enrollment group page, provide the following information to configure the enrollment group details:

    • Select X.509 certificates uploaded to this Device Provisioning Service instance as the Attestation mechanism.
    • From the dropdown list in Primary certificate, select the certificate that you validated in the previous step.
    • Enter a name for the enrollment group in Group name.

  3. Select Next: Review + create.

  4. On the Review + create tab, verify all of your values then select Create. On successful creation of your enrollment group, the group name should appear under the Enrollment Groups tab.

Next steps

After you complete these steps, any device that is claimed into your Azure Sphere tenant is automatically enrolled in your Azure IoT Hub instance when it first connects to your device.

You can now run the Azure IoT sample, following the instructions specific to connecting via DPS.