ca-certificate

Important

This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.

Manages certificate authority (CA) certificates for the current Azure Sphere tenant. For more information, see Manage tenant CA certificate.

Operation Description
download Downloads the CA certificate for the current Azure Sphere tenant as an X.509 .cer file.
download-chain Downloads the CA certificate chain for the current Azure Sphere tenant as a PKCS#7 .p7b file.
download-proof Downloads a proof-of-possession certificate for the current Azure Sphere tenant as an X.509 .cer file.
list Lists all certificates for the current Azure Sphere tenant.

download

Downloads the CA certificate for the current Azure Sphere tenant as an X.509 .cer file.

Required parameters

Parameter Type Description
--destination String Specifies the path and filename at which to save the tenant CA certificate. The file path can be an absolute or relative path but must have the .cer extension.

Optional parameters

Parameter Type Description
--index Integer Specifies the index of the certificate to download. Run azsphere ca-certificate list to list the certificates and the index values. If no index is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint.
--thumbprint String Specifies the thumbprint of the certificate to download. Run azsphere ca-certificate list to list the certificates and the thumbprint values. If no thumbprint is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint.
-t, --tenant GUID or name Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name.
Global parameters

The following global parameters are available for the Azure Sphere CLI:

Parameter Description
--debug Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report.
-h, --help Prints CLI reference information about commands and their arguments and lists available subgroups and commands.
--only-show-errors Shows only errors, suppressing warnings.
-o, --output Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands.
--query Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples.
--verbose Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs.

Note

If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.

Example

Example to specify index to download a required certificate:

azsphere ca-certificate download --destination ca-cert.cer --index 1

Example to specify thumbprint to download a required certificate:

azsphere ca-certificate download --destination ca-cert.cer --thumbprint <value>

You should see output like this:

Succeeded

download-chain

Downloads the CA certificate chain for the current Azure Sphere tenant as a PKCS#7 .p7b file.

Required parameters

Parameter Type Description
--destination String Specifies the path and filename at which to save the tenant CA certificate chain. You can provide a relative or absolute path, and must use a .p7b extension.

Optional parameters

Parameter Type Description
--index Integer Specifies the index of the certificate to download. Run azsphere ca-certificate list to list the certificates and the index values. If no index is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint.
--thumbprint String Specifies the thumbprint of the certificate to download. Run azsphere ca-certificate list to list the certificates and the thumbprint values. If no thumbprint is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint.
-t, --tenant GUID or name Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name.
Global parameters

The following global parameters are available for the Azure Sphere CLI:

Parameter Description
--debug Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report.
-h, --help Prints CLI reference information about commands and their arguments and lists available subgroups and commands.
--only-show-errors Shows only errors, suppressing warnings.
-o, --output Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands.
--query Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples.
--verbose Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs.

Note

If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.

Example

azsphere ca-certificate download-chain --destination CA-cert-chain.p7b --index 1
Succeeded

download-proof

Downloads a proof-of-possession certificate for the current Azure Sphere tenant, for use with a provided code, and as an X.509 .cer file. This certificate is part of the device authentication and attestation process. For more information on using Azure Sphere devices with Azure IoT, see Use Azure IoT with Azure Sphere.

Required parameters

Parameter Type Description
--destination String Specifies the path and filename at which to save the proof-of-possession certificate. The filepath can be an absolute or relative path but must use a .cer extension.
--verification-code String Specifies the verification code for the Azure Sphere Security Service to use when generating the certificate.

Optional parameters

Parameter Type Description
--index Integer Specifies the index of the certificate to download. Run azsphere ca-certificate list to list the certificates and the index values. If no index is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint.
--thumbprint String Specifies the thumbprint of the certificate to download. Run azsphere ca-certificate list to list the certificates and the thumbprint values. If no thumbprint is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint.
-t, --tenant GUID or name Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name.
Global parameters

The following global parameters are available for the Azure Sphere CLI:

Parameter Description
--debug Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report.
-h, --help Prints CLI reference information about commands and their arguments and lists available subgroups and commands.
--only-show-errors Shows only errors, suppressing warnings.
-o, --output Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands.
--query Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples.
--verbose Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs.

Note

If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.

Example

azsphere ca-certificate download-proof --destination validation.cer  --verification-code 123412341234 --index 1
Succeeded

list

Lists all certificates for the current tenant.

Optional parameters

Parameter Type Description
-t, --tenant GUID or name Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name.
Global parameters

The following global parameters are available for the Azure Sphere CLI:

Parameter Description
--debug Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report.
-h, --help Prints CLI reference information about commands and their arguments and lists available subgroups and commands.
--only-show-errors Shows only errors, suppressing warnings.
-o, --output Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands.
--query Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples.
--verbose Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs.

Note

If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.

Example

If the default tenant is not selected, a message may display to set the default tenant.

azsphere ca-certificate list
 ----- ---------------------------------------- --------------------------------------------------------------- ------ ----------------- -----------------
 Index Thumbprint                               CertificateDetails                                              Status StartDate         EndDate
 =========================================================================================================================================================
 1     <value>                                  CN: Microsoft Azure Sphere <tenant-ID>                          Active 09/06/2020 17:39:40 09/06/2022 17:39:40
                                                O: Microsoft Corporation
                                                L: Redmond
                                                ST: Washington
                                                C: US
 ----- ---------------------------------------- --------------------------------------------------------------- ------ ----------------- -----------------
 2     <value>                                  CN: Microsoft Azure Sphere <tenant-ID>                          Ready 29/04/2020 22:51:47 29/04/2022 22:51:47
                                                O: Microsoft Corporation
                                                L: Redmond
                                                ST: Washington
                                                C: US
 ----- ---------------------------------------- --------------------------------------------------------------- ------ ----------------- -----------------