Device credentials
To be able to connect to Device Management and use the Connect and Update functionalities, a device must have two sets of credentials:
- An identity certificate and a private key to securely connect to Device Management, either to bootstrap or directly to the LwM2M registration flow.
- A manifest verification certificate, so the device can confirm the validity of a firmware update manifest. See the manifests section for more information.
This section focuses on the device credentials (identity certificate and private key) used to connect to the bootstrap or LwM2M servers.
Which credentials your device uses, as well as how to get them, depends on:
- Do you want your device to use bootstrap flow or direct LwM2M registration?
- Do you need development or production credentials?
- Do you want to use your own certificate authority to generate the device credentials, or do you want to use the factory configurator utility (FCU)?
Bootstrap flow or direct LwM2M registration
As explained in the Device onboarding section, Device Management provides two ways to onboard a device:
- Using bootstrap (preferred option): The device can fall back to the bootstrap flow to renew its LwM2M credentials if they expire or become invalid.
- Using direct Device Management LwM2M server credentials (only available for commercial accounts): The device cannot fall back to bootstrap. There are also limitations on certificate renewing and connectivity maintenance.
The two options support different scenarios:
| Flow | Development | Production | Own CA | FCU CA |
|---|---|---|---|---|
| Bootstrap | [x] | [x] | [x] | [x] |
| Direct LwM2M | [x] | [x] | [x] |
Development or production credentials
When provisioning devices for Device Management, Device Management supports two kinds of credentials:
-
Developer mode: Based on a developer certificate, which can support up to 100 devices. With this option, you don't need to go through a full factory process every time you want to test your devices. See Provisioning devices for more information.
-
Production credentials: You must use a full factory flow to provide your devices with proper production credentials. See Provisioning devices for more information.
The two options support different scenarios:
| Credentials | Bootstrap | Direct LwM2M | Own CA | FCU CA |
|---|---|---|---|---|
| Development credentials | [x] | |||
| Production credentials | [x] | [x] | [x] | [x] |
Own certificate authority or FCU CA for device credential generation
When your devices connect to Device Management, they use a certificate to prove they are linked to your Pelion account. A certificate authority (CA) generates that certificate. Device Management offers a CA (as part of FCU) but also supports using an existing (third party) CA. See Setting up your own certificate authority for more details.
The two options support different scenarios:
| CA | Bootstrap | Direct LwM2M | Development | Production |
|---|---|---|---|---|
| Own certificate authority | [x] | [x] | [x] | |
| FCU as certificate authority | [x] | [x] | [x] |
Note that when using your own certificates in the bootstrap mode:
-
It is your responsibility to ensure they include the right parameters and are in the correct format. If your certificate is incorrect, Device Management Client will not be able to connect to Device Management, and you will receive the error
MbedCloudClient::ConnectInvalidParameters.The mandatory parameters and their correct format are described in the Provisioning section.
-
Device certificates should have an unlimited lifetime (or a very long lifetime, for example 30 years). This is because Device Management Client assumes it will always be able to securely access the bootstrap server, without worrying about expiring device bootstrap certificates.