Mistake on this page? Email us

Device credentials

To be able to connect to Device Management and use the Connect and Update functionalities, a device must have two sets of credentials:

This section focuses on the device credentials (identity certificate and private key) used to connect to the bootstrap or LwM2M servers.

Which credentials your device uses, as well as how to get them, depends on:

  • Do you want your device to use bootstrap flow or direct LwM2M registration?
  • Do you need development or production credentials?
  • Do you want to use your own certificate authority to generate the device credentials, or do you want to use the factory configurator utility (FCU)?

Bootstrap flow or direct LwM2M registration

As explained in the Device onboarding section, Device Management provides two ways to onboard a device:

  • Using bootstrap (preferred option): The device can fall back to the bootstrap flow to renew its LwM2M credentials if they expire or become invalid.
  • Using direct Device Management LwM2M server credentials (only available for commercial accounts): The device cannot fall back to bootstrap. There are also limitations on certificate renewing and connectivity maintenance.

The two options support different scenarios:

Flow Development Production Own CA FCU CA
Bootstrap [x] [x] [x] [x]
Direct LwM2M [x] [x] [x]

Development or production credentials

When provisioning devices for Device Management, Device Management supports two kinds of credentials:

  • Developer mode: Based on a developer certificate, which can support up to 100 devices. With this option, you don't need to go through a full factory process every time you want to test your devices. See Provisioning devices for more information.

  • Production credentials: You must use a full factory flow to provide your devices with proper production credentials. See Provisioning devices for more information.

The two options support different scenarios:

Credentials Bootstrap Direct LwM2M Own CA FCU CA
Development credentials [x]
Production credentials [x] [x] [x] [x]

Own certificate authority or FCU CA for device credential generation

When your devices connect to Device Management, they use a certificate to prove they are linked to your Pelion account. A certificate authority (CA) generates that certificate. Device Management offers a CA (as part of FCU) but also supports using an existing (third party) CA. For more information, see the Certificate Authority Options section of the Izuma Device Management Factory Provisioning documentation site for more details.

The two options support different scenarios:

CA Bootstrap Direct LwM2M Development Production
Own certificate authority [x] [x] [x]
FCU as certificate authority [x] [x] [x]

Note that when using your own certificates in the bootstrap mode:

  • It is your responsibility to ensure they include the right parameters and are in the correct format. If your certificate is incorrect, Device Management Client will not be able to connect to Device Management, and you will receive the error MbedCloudClient::ConnectInvalidParameters.

    The mandatory parameters and their correct format are described on the Izuma Factory Provisioning site.

  • Device certificates should have an unlimited lifetime (or a very long lifetime, for example 30 years). This is because Device Management Client assumes it will always be able to securely access the bootstrap server, without worrying about expiring device bootstrap certificates.