If you’re trying to work on integrating HERE OTA Connect into your device build, it may be helpful to have a little bit of reference information on how the different provisioning methods work together, and what exactly the magic sauce inside credentials.zip is.

credentials.zip file format

First, a table:

Filename in zip Purpose Used by


Location and authentications for treehub and Uptane repo

garage-sign, garage-push


Certificate for TLS client authentication



Private key for TLS client authentication



Root CA for TLS client authentication



TLS client credentials for automatic device provisioning

aktualizr, aktualizr-cert-provider


URL for automatic provisioning server

aktualizr, aktualizr-cert-provider


Initial Uptane root.json (for secure bootstrapping)



Public key for offline Uptane image signing



Private key for offline Uptane image signing



URL to Uptane repository


As you can see, the relevant files for the device itself are autoprov_credentials.p12 and autoprov.url.

When you turn on implicit provisioning via HSM, the implicit_writer function in meta-updater takes over. The initial credentials on the device won’t be valid; this is why you need to copy in the generated ones after booting it.

Implicit provisioning required configuration options

More generally, implicit provisioning needs to get various certificates and keys from somewhere. This table summarizes what is needed, and where it comes from in the HSM implicit provisioning case.

Configuration option Where it will come from/what it does

Server URL

Read from credentials archive

Server Root CA cert

Read from credentials archive

Fleet Root CA cert

Chain of trust for a device fleet; provided by the user. Must be uploaded by user to the server.

Fleet Root CA private key

Key for signing device certs in the fleet; provided by user, but used only for signing. Not stored on device.

TLS device cert

Pre-installed in the device HSM; must be signed by Fleet Root CA private key

TLS device key

Pre-installed in the device HSM

Device ID

Read from Common Name field of TLS device cert

Uptane public/private key

Automatically generated by Aktualizr

Uptane primary serial number

Automatically generated by Aktualizr

Primary ECU Hardware ID

Automatically generated by Aktualizr

The "Fleet Root CA" is the one generated in step 1 of the implicit provisioning via HSM instructions.