Properties for manually generated keys and certificates
If you use your own CA, it is your responsibility to ensure that all device keys and certificates are in the appropriate format and contain correct information.
Note: To avoid errors, we recommend you always use FCU for generation of keys and certificates. You can use FCU as your CA without using it at other parts of the provisioning process.
This section explains the required properties of each key and certificate type:
- Bootstrap device key and certificate.
- LwM2M device key and certificate.
Warning: We've provided OpenSSL commands for reference only. You should adapt them to your own production setup and security requirements.
Bootstrap device key and certificate
Factory assigned device credentials (private key and certificate) that the device uses to authenticate to the bootstrap service, as required by the LwM2M 1.0 standard.
| Property | Value | Note |
|---|---|---|
| Format | X.509 | |
| Encoding format | DER or PEM | To support using KCM to store the key and certificate on the device. |
| Self signed | No | The certificate must be signed, not self-signed. |
| Cipher and signature algorithm | cipher: NIST P-256 (secp256r1). Signature algorithm: ecdsa-with-SHA256. |
|
| Valid from | Later than the Factory CA valid-from and earlier than current time. | |
| Expiration time | More than 10 years. |
Notes
- The
Common Name(CN) field of the certificate is the individual device's endpoint name (which is the device's unique identifier). It is provided in theendpoint-nameparameter of theinjectcommand, as explained in the Provisioning information section. - For certificate chains, only the PEM format is supported.
- When using a certificate chain, the length of the chain stored on the device depends on the
device-certificate-chain-depthconfiguration parameter. - If FCU generates or signs the certificate, the certificate chain is derived from the FCU certificate chain.
Examples
You can use OpenSSL to create a key and certificate as follows:
# Create private key -
openssl ecparam -out BootstrapDevicePrivateKey.pem -name prime256v1 -genkey
# Convert private key to DER format -
openssl ec -in BootstrapDevicePrivateKey.pem -out BootstrapDevicePrivateKey.der -outform der
# Create a certificate signing request for the private key -
openssl req -key BootstrapDevicePrivateKey.pem -new -sha256 -out BootstrapDeviceCsr.pem
-subj /CN=device_endpoint_name
# Sign the certificate signing request with the CA key and certificate -
openssl x509 -req -in BootstrapDeviceCsr.pem -sha256 -out BootstrapDeviceCert.der
-outform der -CA CA_cert.pem -CAkey CA_private.pem -CAcreateserial -days 3650
You can use OpenSSL to create a key and certificate chain as follows:
# Create configuration for adding ca extensions-
(echo '[ req ]'; echo 'distinguished_name=dn'; echo 'prompt = no'; echo '[ ext ]'; echo "basicConstraints = CA:TRUE"; echo "keyUsage = digitalSignature, keyCertSign, cRLSign"; echo '[ dn ]') > ca_config.cnf
# Create private keys -
openssl ecparam -out root_key.pem -name prime256v1 -genkey
openssl ecparam -out intermediate_key.pem -name prime256v1 -genkey
openssl ecparam -out BootstrapDevicePrivateKey.pem -name prime256v1 -genkey
# Create Root self-signed certificate -
(cat ca_config.cnf; echo 'CN = ROOT_CA';) > root.cnf
openssl req -key root_key.pem -new -x509 -days 7300 -sha256 -out root_cert.pem -config root.cnf -extensions ext
# Create intermediate certificate -
(cat ca_config.cnf; echo 'CN = INT_CA';) > int.cnf
openssl req -new -sha256 -key intermediate_key.pem -out intermediate_csr.pem -config int.cnf
openssl x509 -sha256 -req -in intermediate_csr.pem -out intermediate_cert.pem -CA root_cert.pem -CAkey root_key.pem -days 7300 -extfile ca_config.cnf -extensions ext -CAcreateserial
cat intermediate_cert.pem root_cert.pem > intermediate_chain.pem
# Create the device certificate:
# Create a certificate signing request for the private key -
(echo '[ req ]'; echo 'distinguished_name=dn'; echo 'prompt = no'; echo '[ dn ]'; echo 'CN = device_endpoint_name';) > device.cnf
openssl req -key BootstrapDevicePrivateKey.pem -new -sha256 -out device_csr.pem -config device.cnf
# Sign the certificate signing request with the Certificate Chain key and certificate -
openssl x509 -sha256 -req -in device_csr.pem -out device_cert.pem -CA intermediate_cert.pem -CAkey intermediate_key.pem -days 7300 -extensions ext -CAcreateserial
# Verify chain-
openssl verify -verbose -CApath no-such-dir -CAfile intermediate_chain.pem device_cert.pem
# Create the device certificate with chain-
cat device_cert.pem intermediate_chain.pem > BootstrapDeviceCert.pem
LwM2M device key and certificate
Factory assigned device credentials (private key and certificate) that the device uses to authenticate to LwM2M management service, as required by the LwM2M 1.0 standard.
| Property | Value | Note |
|---|---|---|
| Format | X.509 | |
| Encoding format | DER or PEM | To support using KCM to store the key and certificate on the device. |
| Self signed | No | The certificate must be signed, not self-signed. |
| Cipher and signature algorithm | Cipher: NIST P-256 (secp256r1). Signature algorithm: ecdsa-with-SHA256. |
|
| Valid from | Later than the Factory CA Valid-From and earlier than current time. | |
| Expiration time | More than 10 years. |
Notes
- The
Common Name(CN) field of the certificate is the individual device's endpoint name (which is the device's unique identifier). It is provided in theendpoint-nameparameter of theinjectcommand, as explained in the Provisioning information section. - Organizational Unit (OU): Matches the account ID related to the device (provided as part of the
lwm2m-server-uriin the FCU configuration). - For certificate chains, only the PEM format is supported.
- When using a certificate chain, the length of the chain stored on the device depends on the
device-certificate-chain-depthconfiguration parameter. - If FCU generates or signs the certificate, the certificate chain is derived from the FCU certificate chain.
- You can use OpenSSL to create a key and certificate as shown in the bootstrap example above, with the appropriate changes in parameters.