Verify certificate manually

While tenant certificates can be automatically verified by Azure, alternate certificate authorities must be manually verified. The following steps describe how to manually verify certificates for use with the Device Provisioning Service and IoT Hub. The steps assume a root CA certificate has been uploaded to an IoT Hub or Device Provisioning Service instance.

To add a certificate and manually verify it (prove possession of the root CA certificate):

1. Get a unique verification code from the Azure portal.
2. Download the proof-of-possession certificate that proves you own the tenant CA certificate from the Azure Sphere CLI.
3. Upload the signed verification certificate on the Azure portal. The service validates the verification certificate using the public portion of the CA certificate to be verified, thus proving that you are in possession of the CA certificate's private key.

Get a unique verification code from the Azure portal

1. After you have selected a certificate in the Add certificate blade, leave the box Set certificate status to verified on upload unchecked. Select Save.

2. The Certificates list view shows your certificates. The Status of the certificate you created is Unverified.

3. Select the name of your certificate to display its details. In the Certificates blade, select Generate verification code. Copy the verification code to your clipboard for use in the next step. (Do not select Verify yet.)

Download a proof-of-possession certificate that proves you own the tenant CA certificate

Return to the Azure Sphere CLI and download a proof-of-possession certificate for your Azure Sphere tenant. Use the verification code to generate the certificate as an X.509 .cer file.

Azure Sphere CLI

azsphere ca-certificate download-proof --destination ValidationCertification.cer --verification-code <code>

Azure Sphere classic CLI

azsphere ca-certificate download-proof --output ValidationCertification.cer --verificationcode <code>

Note: The Azure Sphere classic CLI is retiring. We recommend using the new Azure Sphere CLI.

Upload the signed verification certificate

The Azure Sphere Security Service signs the validation certificate with the verification code to prove that you own the CA.

1. From Certificates on the Azure Portal, in the Verification certificate .pem or .cer file field, browse to select and upload the signed verification certificate. The certificate is located in the directory in which you invoked the download command.

2. When the certificate is successfully uploaded, select Verify.

3. After verification, the status of your certificate changes to Verified in the Certificates list view. Select Refresh if the status does not update automatically.