OTA Connect Developer Guide

Provisioning methods and credentials.zip

If you’re trying to work on integrating OTA Connect into your device build, it may be helpful to have a little bit of reference information on how the different provisioning methods work together, and exactly what components are inside credentials.zip.

credentials.zip file format

The following files are present in credentials.zip:

Filename in zip Purpose Used by

api_gateway.url

URL for gateway to Director

garage-sign

treehub.json

URL and OAuth2 authentication for treehub and Uptane repo

garage-sign, garage-push, garage-deploy

client.crt

Certificate for TLS client authentication

garage-push

client.key

Private key for TLS client authentication

garage-push

root.crt

Root CA for TLS client authentication

garage-push

autoprov_credentials.p12

TLS client credentials that are required when provisioning devices with shared credentials

aktualizr, aktualizr-cert-provider

autoprov.url

URL for provisioning server

aktualizr, aktualizr-cert-provider

root.json

Initial Uptane root.json (for secure bootstrapping)

garage-sign

targets.pub

Public key for offline Uptane image signing

garage-sign

targets.sec

Private key for offline Uptane image signing

garage-sign

tufrepo.url

URL to Uptane repository

garage-sign

As you can see, the relevant files for the device itself are autoprov_credentials.p12 and autoprov.url.

Configuration options for provisioning with device credentials

When provisioning with device credentials, OTA Connect needs to get various certificates and keys from somewhere. The following table summarizes what is needed, and where it comes from in the HSM.

Configuration option Where it will come from/what it does

Server URL

Read from credentials archive

Server Root CA cert

Read from credentials archive

Fleet Root CA cert

Chain of trust for a device fleet; provided by the user. Must be uploaded by user to the server.

Fleet Root CA private key

Key for signing device certs in the fleet; provided by user, but used only for signing. Not stored on device.

TLS device cert

Pre-installed in the device HSM; must be signed by Fleet Root CA private key

TLS device key

Pre-installed in the device HSM

Device ID

Read from Common Name field of TLS device cert

Uptane public/private key

Automatically generated by Aktualizr

Uptane primary serial number

Automatically generated by Aktualizr

Primary ECU Hardware ID

Automatically generated by Aktualizr

The "Fleet Root CA" is the one generated in step 1 of the use a Hardware Security Module to provision with device credentials. instructions.