ca-certificate
Important
This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.
Manages certificate authority (CA) certificates for the current Azure Sphere tenant. For more information, see Manage tenant CA certificate.
| Operation | Description |
|---|---|
| download | Downloads the CA certificate for the current Azure Sphere tenant as an X.509 .cer file. |
| download-chain | Downloads the CA certificate chain for the current Azure Sphere tenant as a PKCS#7 .p7b file. |
| download-proof | Downloads a proof-of-possession certificate for the current Azure Sphere tenant as an X.509 .cer file. |
| list | Lists all certificates for the current Azure Sphere tenant. |
download
Downloads the CA certificate for the current Azure Sphere tenant as an X.509 .cer file.
Required parameters
| Parameter | Type | Description |
|---|---|---|
| --destination | String | Specifies the path and filename at which to save the tenant CA certificate. The file path can be an absolute or relative path but must have the .cer extension. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
| --index | Integer | Specifies the index of the certificate to download. Run azsphere ca-certificate list to list the certificates and the index values. If no index is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint. |
| --thumbprint | String | Specifies the thumbprint of the certificate to download. Run azsphere ca-certificate list to list the certificates and the thumbprint values. If no thumbprint is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint. |
| -t, --tenant | GUID or name | Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name. |
Global parameters
The following global parameters are available for the Azure Sphere CLI:
| Parameter | Description |
|---|---|
| --debug | Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report. |
| -h, --help | Prints CLI reference information about commands and their arguments and lists available subgroups and commands. |
| --only-show-errors | Shows only errors, suppressing warnings. |
| -o, --output | Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands. |
| --query | Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples. |
| --verbose | Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs. |
Note
If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.
Example
Example to specify index to download a required certificate:
azsphere ca-certificate download --destination ca-cert.cer --index 1
Example to specify thumbprint to download a required certificate:
azsphere ca-certificate download --destination ca-cert.cer --thumbprint <value>
You should see output like this:
Succeeded
download-chain
Downloads the CA certificate chain for the current Azure Sphere tenant as a PKCS#7 .p7b file.
Required parameters
| Parameter | Type | Description |
|---|---|---|
| --destination | String | Specifies the path and filename at which to save the tenant CA certificate chain. You can provide a relative or absolute path, and must use a .p7b extension. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
| --index | Integer | Specifies the index of the certificate to download. Run azsphere ca-certificate list to list the certificates and the index values. If no index is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint. |
| --thumbprint | String | Specifies the thumbprint of the certificate to download. Run azsphere ca-certificate list to list the certificates and the thumbprint values. If no thumbprint is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint. |
| -t, --tenant | GUID or name | Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name. |
Global parameters
The following global parameters are available for the Azure Sphere CLI:
| Parameter | Description |
|---|---|
| --debug | Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report. |
| -h, --help | Prints CLI reference information about commands and their arguments and lists available subgroups and commands. |
| --only-show-errors | Shows only errors, suppressing warnings. |
| -o, --output | Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands. |
| --query | Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples. |
| --verbose | Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs. |
Note
If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.
Example
azsphere ca-certificate download-chain --destination CA-cert-chain.p7b --index 1
Succeeded
download-proof
Downloads a proof-of-possession certificate for the current Azure Sphere tenant, for use with a provided code, and as an X.509 .cer file. This certificate is part of the device authentication and attestation process. For more information on using Azure Sphere devices with Azure IoT, see Use Azure IoT with Azure Sphere.
Required parameters
| Parameter | Type | Description |
|---|---|---|
| --destination | String | Specifies the path and filename at which to save the proof-of-possession certificate. The filepath can be an absolute or relative path but must use a .cer extension. |
| --verification-code | String | Specifies the verification code for the Azure Sphere Security Service to use when generating the certificate. |
Optional parameters
| Parameter | Type | Description |
|---|---|---|
| --index | Integer | Specifies the index of the certificate to download. Run azsphere ca-certificate list to list the certificates and the index values. If no index is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint. |
| --thumbprint | String | Specifies the thumbprint of the certificate to download. Run azsphere ca-certificate list to list the certificates and the thumbprint values. If no thumbprint is supplied, the active certificate is downloaded. You can specify either the index value or thumbprint. |
| -t, --tenant | GUID or name | Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name. |
Global parameters
The following global parameters are available for the Azure Sphere CLI:
| Parameter | Description |
|---|---|
| --debug | Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report. |
| -h, --help | Prints CLI reference information about commands and their arguments and lists available subgroups and commands. |
| --only-show-errors | Shows only errors, suppressing warnings. |
| -o, --output | Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands. |
| --query | Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples. |
| --verbose | Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs. |
Note
If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.
Example
azsphere ca-certificate download-proof --destination validation.cer --verification-code 123412341234 --index 1
Succeeded
list
Lists all certificates for the current tenant.
Optional parameters
| Parameter | Type | Description |
|---|---|---|
| -t, --tenant | GUID or name | Specifies the tenant to perform this operation in. Overrides the default selected tenant. You can specify either the tenant ID or tenant name. |
Global parameters
The following global parameters are available for the Azure Sphere CLI:
| Parameter | Description |
|---|---|
| --debug | Increases logging verbosity to show all debug logs. If you find a bug, provide output generated with the --debug flag on when submitting a bug report. |
| -h, --help | Prints CLI reference information about commands and their arguments and lists available subgroups and commands. |
| --only-show-errors | Shows only errors, suppressing warnings. |
| -o, --output | Changes the output format. The available output formats are json, jsonc (colorized JSON), tsv (Tab-Separated Values), table (human-readable ASCII tables), and yaml. By default the CLI outputs table. To learn more about the available output formats, see Output format for Azure Sphere CLI commands. |
| --query | Uses the JMESPath query language to filter the output returned from Azure Sphere Security Services. See JMESPath tutorial and Query Azure CLI command output for more information and examples. |
| --verbose | Prints information about resources created in Azure Sphere during an operation and other useful information. Use --debug for full debug logs. |
Note
If you are using Azure Sphere classic CLI, see Global parameters for more information on available options.
Example
If the default tenant is not selected, a message may display to set the default tenant.
azsphere ca-certificate list
----- ---------------------------------------- --------------------------------------------------------------- ------ ----------------- -----------------
Index Thumbprint CertificateDetails Status StartDate EndDate
=========================================================================================================================================================
1 <value> CN: Microsoft Azure Sphere <tenant-ID> Active 09/06/2020 17:39:40 09/06/2022 17:39:40
O: Microsoft Corporation
L: Redmond
ST: Washington
C: US
----- ---------------------------------------- --------------------------------------------------------------- ------ ----------------- -----------------
2 <value> CN: Microsoft Azure Sphere <tenant-ID> Ready 29/04/2020 22:51:47 29/04/2022 22:51:47
O: Microsoft Corporation
L: Redmond
ST: Washington
C: US
----- ---------------------------------------- --------------------------------------------------------------- ------ ----------------- -----------------