Generating keys and certificates
Provisioning gives your device the keys and certificates it needs to gain access to your Device Management account.
To obtain keys and certificates for the demo, you can:
- Generate credentials using Factory Configurator Utility (FCU).
- Provide FCU with credentials from an external source.
- Use a secure element with pre-provisioned credentials.
Injecting entropy onto devices
IoT devices need entropy to perform for cryptographic operations.
You can use FCU to inject entropy onto non-TRNG (True Random Number Generator) devices - like the NUCLEO-F411RE and UIS8908A - or devices with weak entropy, by setting
externally_supplied in the
If you use externally-supplied entropy, you must also create an entropy file, named
entropy.bin. Here is an example of how to generate an entropy file in Linux:
time dd if=/dev/urandom of=entropy.bin bs=1 count=1024
Using FCU as a CA
You can use FCU as a CA (certificate authority) when you configure it to generate the DTLS device keys, or when the device generates DTLS device keys.
Fill in the
Note: For all attributes under the
device-certificatesection, we recommend using only the characters
SPACE. For more information, see configuration for generation of device certificates.
device-certificate: organization-name: 'dev-ON' organizational-unit-name: 'dev-OUN' locality-name: 'dev-L' state-or-province-name: 'dev-SN' country-name: 'dv' certificate-authority: common-name: 'CN' organization-name: 'ON' organizational-unit-name: 'OUN' locality-name: 'LN' state-or-province-name: 'SN' country-name: 'CO' device-info: manufacturer-name: 'NXP' device-type: 'development' model-number: 'K64F' hardware-version: 'K64F' memory-total: 256 timezone: 'UTC'
Navigate to the
To create a private key and certificate (in
FCU_HOME_DIR > keystore), run:
python ft_demo.py setup
When FCU is not an intermediate CA, the expected FCU output in the console is:
The fcu certificate was created successfully at c:\tools\factory_configurator_utility\keystore\fcu.crt Please note the certificate must be uploaded to the portal OPERATION COMPLETED SUCCESSFULLY
When FCU is an intermediate CA (when the
setup-ca-as-intermediateparameter in the
setupcommand creates a CSR named
In this case, the expected FCU output in the console is:
The FCU CSR was created successfully at c:\tools\factory_configurator_utility\keystore\fcu_csr.pem. Please sign the generated CSR, and save created certificate as 'c:\tools\factory_configurator_utility\keystore\fcu.crt'. Please note the certificate must be uploaded to the portal OPERATION COMPLETED SUCCESSFULLY
Use your certificate authority to sign the CSR, and provide the generated certificate-chain to FCU as predefined file name
Using your own CA
In this mode, you use your own device private key and certificate as resources:
Create a new folder and place your resources there. You can use your own files:
BootstrapDevicePrivateKey.pem: A private key in the NIST P-256 (secp256r1) cipher.
BootstrapDeviceCert.pem: A certificate, using the X.509 standard.
Note: Make sure you use FCU-compatible certificates.
Make a note of the folder path; you will need it when you inject to the device later in this demo.
Using an ATECC608A secure element
You can use the default pre-provisioned keys and certificates on the ATECC608A secure element, or you can emulate the production flow of signing the pre-provisioned credentials with your own CA using Trust Platform Design Suite.
Warning: Use the secure element credentials described in this document for development purposes only. For production you must order secure elements with pre-provisioned credentials signed by your own CA.
To use the default pre-provisioned credentials:
- Upload the CA certificate file to Device Management Portal.
default-root-ca.crtCA certificate is located in the
To emulate the production flow of signing the pre-provisioned credentials with your own CA:
fcu.yml, set the
- Connect the DM320118 development kit to your PC with a USB cable. Disconnect the male-to-male jumper wires from the DM320118 kit, if connected.
- Install Trust Platform Design Suite and follow the instructions to create a new CA and credentials. This creates a number of files in the
- Copy the .c and .h files from the
TrustFLEX/00_resource_generation folderfolder to your
factory-configurator-client-example/mbed-cloud-client-platform-common/secure_element/se_atmel_credentialsfolder; if the files already exist, overwrite them.
- Upload the
root-ca.crtCA certificate file to Device Management Portal.