Set Up Device Provisioning
In this section, you’ll learn how provisioning in production is different from the provisioning method that you used to get started. You’ll also understand the major steps involved in provisioning devices for production.
If you followed the Get Started Guide, you used a provisioning key that was shared by all devices. In this scenario, the OTA Connect server generates the device credentials for you. This method is fine if you’re just evaluating OTA Connect and want to get started quickly. If you want to do some serious testing and eventually move to production, you’ll need a switch to a more secure provisioning method.
In this case, you shouldn’t use the OTA Connect server to generate your device credentials. If you generate and validate credentials with the same server, you’re taking a big risk. Generation and validation should always be done by separate entities. Otherwise, if an attacker were able to infiltrate the OTA Connect server, they would be able to provision their own devices.
Instead, you should use your own infrastructure to generate device credentials outside of OTA Connect. We call this method "provisioning with device credentials".
When you provision with device credentials, you install permanent credentials each device before the device connects to the OTA Connect server.
You would use the private key for your fleet to sign the device certificates and your fleet root certificate. You then register your fleet root certificate on the OTA Connect server.
Every time a device connects to the OTA Connect server, the server verifies that the device credentials are signed by a trusted source. It does this by comparing public key in the device certificate with the public key in your fleet root certificate. If they are both signed by the same private key, they should match and the device can be trusted. For a more detailed description of how device-credential provisioning works, see the provisioning methods overview.
To set up your environment for device credential provisioning, you need to perform the following major steps:
We’ll need to register this certificate for your account so that OTA Connect can validate your device certificates.
The installation process happens outside of OTA Connect but we can give you some pointers on how to set up this process.
We show you how to do this with or without an HSM.