OTA Connect Developer Guide

Deployment Checklist

OTA Connect is designed to integrate easily into development workflows: you build your image, push it, set auto-updates for some of your test-bench devices, and so on. But once you’re ready to move from testing into production, you will likely want to do a few things differently.

Here is a checklist for all the tasks you should consider when moving to production:

Task Summary Documentation

Register the root certificate for your fleet

  • If you followed our recommendations, you should have accounts for development, testing and production.

    • If you also followed our recommendation to use device-credential povisioning, you need to register your fleet root certificate with your production account

  • You might have already registered a self-signed root certificate with your test account.

    However, regardless of the type of certficate that you use, you’ll need to register a new certificate with your production account.

Generate and install final device certs

  • Once you have your final fleet root certificate, you can use it to generate and sign device certificates.

    You can then automate the process of installing device certificates on your devices.

  • We can’t tell you exactly how to automate this process, but you can use the commands from our documentation as a guideline.

Rotate production keys

  • In line with our security concept, We recommend that you sign disk images with secure, offline keys.

  • Even if you’ve done this already for with a test account, you need to do it again with a credentials.zip from your production account.

  • You should keep these keys on a secure storage medium such as a YubiKey. You would only plug in your YubiKey when you need to sign metadata on your local computer.

Transfer disk images to your production repository

  • When you’re ready to deploy your software to production, you’ll need to move all approved disk images from the software repository in your testing account to the one in your production account.

Create production-ready client configuration

  • You’ll need to update the configuration for aktualizr or libaktualizr.

    Settings that are convenient for testing, such as small polling invervals, are not suitable for production and should be changed.