Set up an Azure IoT Hub for Azure Sphere

To use your Azure Sphere devices with Azure IoT Hub, you need to create a hub and set it up to work with your Azure Sphere tenant, then configure x509 certificate authentication for each device.

To use Device Provisioning Service instead of direct authentication, see Set up an IoT hub for Azure Sphere with DPS.

To add an Azure IoT Edge device that provides a filtering and data processing layer between your Azure Sphere device and Azure IoT Hub, see Set up Azure IoT Edge for Azure Sphere.

Before you begin

The steps in this section assume that:

• Your Azure Sphere device is connected to your PC by USB.
• You have an Azure subscription.

Important

Although you can create an Azure subscription for no charge, the sign-up process requires you to enter a credit card number. Azure provides several levels of subscription service. By default, the Standard tier, which requires a monthly service charge, is selected when you create an Azure IoT Hub instance. To avoid a monthly charge, select the Free tier. The Free tier includes the services required to use your device with Azure IoT Hub, including the Device Twin. If you don’t have an Azure subscription, create a free account before you begin.

Step 1. Create an IoT hub

Go to Create an IoT hub using the Azure portal.

Important

In "Create an IoT hub using the Azure portal," only follow the directions in the first section, "Create an IoT hub," then return to this topic.

Step 2. Download the tenant authentication CA certificate

1. From the command prompt, sign in with your Azure Sphere login:

   azsphere login
   

2. Download the CA certificate for your Azure Sphere tenant. This command downloads the certificate to a file named CAcertificate.cer in the current working directory. Ensure that you download the file to a directory in which you have write permission, or the download operation will fail. The output file must have a .cer extension.

   Azure Sphere CLI

   azsphere ca-certificate download --destination CAcertificate.cer
   

   Azure Sphere classic CLI

   azsphere ca-certificate download --output CAcertificate.cer
   

   Note: The Azure Sphere classic CLI is retiring. We recommend using the new Azure Sphere CLI.

Step 3. Upload and prove possession of the tenant CA certificate

Upload your tenant certification authority (CA) certificate to Azure IoT Hub, then automatically or manually prove that you own the certificate.

1. In the Azure Portal, navigate to the IoT hub you created.
2. Select Certificates in the Security settings section.
3. Select Add to add a new certificate.
4. In Certificate name, enter a display name for the certificate.
5. In Certificate .pem or .cer file, select the folder icon to choose the certificate file you downloaded in the previous step.

Next you will need to prove possession of a CA (Certificate Authority) certificate. The Azure Sphere tenant certificate authority can automatically be verified by Azure. Other certificate authorities must be verified manually.

To add a certificate and automatically verify it (prove possession of the tenant CA certificate):

1. In the Add certificate pane, check the box for Set certificate status to verified on upload.
2. Select Save at the bottom of the pane.

After verification, the status of your certificate changes to Verified in the Certificates list view. Select Refresh if the status does not update automatically.

Step 4. Create an X.509 device in your IoT hub for your Azure Sphere device

1. In the Azure portal, navigate to your IoT hub. In the Device management section, select Devices > Add Device.

2. Select New to add a new device.

3. In Device ID, provide the Device ID. Note that the Device ID must be in lowercase characters. (You can run azsphere device show-attached in the Azure Sphere CLI to obtain the Device ID.)

4. For Authentication type, choose X.509 CA Signed, then select Save.

Next steps

You can now run the Azure IoT sample or build your own application that uses your Azure IoT Hub.