In OTA Connect, the provisioning process ensures that the device has a certificate and a unique identifier. After a device has been provisioned, it can receive software updates. OTA Connect supports two types of provisioning:

  • Provisioning with shared credentials

    Devices use temporary provisioning credentials to request permanent credentials from the server. You download the temporary provisioning credentials from the OTA Connect web app and install them on a device. Once the device registers with the server for the first time, the server assigns permanent credentials to the device. The device then uses these permanent credentials for all future transactions.

  • Provisioning with device credentials

    Devices already have permanent credentials installed. The server doesn’t issue any credentials to devices. Instead, you use a root CA certificate to sign the credentials that you install on the device. You then install the same root CA certificate on the OTA Connect server. Every time the device attempts to connect, the server verifies that the device credentials are signed by the same CA that you originally installed on the server.

Choosing a provisioning method

The type of provisioning that you choose depends on your requirements. If you’re just testing and want to get started quickly, provisioning with shared credentials is fine. It is easier to set up but is less secure. Because server self-signs the credentials that it issues to devices, the devices have no way of verifying the integrity of the server. This level of security is not suitable for a production environment. The device should always be able to verify that is communicating with a genuine OTA Connect server. Once you move to production, you should look at some form of provisioning that uses device certificates. For more security, use a Hardware Security Module (HSM) to store the device certificates.

Configure a device to provision with shared credentials

To configure a device to provision with shared credentials, follow these steps:

  1. Download a provisioning key.

  2. Edit the following .toml configuration file:

  3. Update the configuration file with the path to the zip file that you saved in the first step and start Aktualizr on the device.

    • When aktualizr starts, it uses the provisioning key to register with the device gateway HTTPS API.

    • The server registers the new device and returns a PKCS#12 archive containing the real credentials for the device. This archive contains the root CA certificate and client certificate.

    • The device unpacks the archive into the paths that are specified in the [storage] section of the config.

    • The device uses this private key and certificate for all further communication with the server.

Configure a device to provision with device credentials

To configure a device to provision with device credentials, you need a root CA certificate obtained from a trusted certificate authority.