Today I wanted to make a "bite-sized" post to walk you through setting up Azure Sphere with Azure IoT Edge.
As a refresher, Azure Sphere will perform device authentication and attestation (described here: Azure Sphere Device Authentication and Attestation Service) and if the application has specified an Azure Sphere tenant in the application manifest's DeviceAuthentication value, it will then receive a client authentication cert which is valid for around a day.
DeviceAuthentication |
A string that specifies the UUID of the Azure Sphere tenant to use for device authentication. Example: "DeviceAuthentication": "77304f1f-9530-4157-8598-30bc1f3d66f0" |
Why is this important? Because the goal here is to use this "high assurance" client certificate to authenticate the Azure Sphere device to the Azure IoT Edge server and pass it telemetry or other data. This ensures a secure authentication method as opposed to static hardcoded passwords.
A couple of other things to remember for this demo:
AllowedConnections |
A list of DNS host names or IP addresses (IPv4) to which the application is allowed to connect. If the application uses an Azure IoT Hub, the list must include the IP address or DNS host name for the hub, typically hub-name.azure-devices.net. Port numbers and wildcard characters in names and IP addresses are not accepted. Example: "AllowedConnections" : [ "my-hub.example.net", "global.azure-devices-provisioning.net" ] |
The starting point for the lab is:
With that out of the way, let's take a look at this video for a walkthrough of basic connectivity from Azure Sphere to an IoT Edge server using the Azure Sphere device certificate!
EDIT on 4/5/21 for IoT Edge 1.2 RC4
Please note, the steps outlined are not the same in Edge 1.2 (preview as of 4/2/2021).
Note you must use a FQDN for 1.2 RC4 (not an IP address)
Place the Azure Sphere tenant CA in the trusted_roots.pem and make sure it is specified in the new section called "trust_bundle_cert"
trust_bundle_cert = "file:///edge_certs/trusted_roots.pem"
For the chain and private key use the "edge_ca" section
# ==============================================================================
# Edge CA certificate
# ==============================================================================
#
# If you have your own Edge CA certificate that you want all module certificates
# to be issued by, uncomment this section and replace the values with your own.
#
[edge_ca]
cert = "file:///edge_certs/iot-edge-device-ca-spatDeviceCA-full-chain.cert.pem"
pk = "file:///edge_certs/iot-edge-device-ca-spatDeviceCA.key.pem"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.