OTA Connect Developer Guide

Set Up Device Provisioning

In this section, you’ll learn how provisioning in production is different from the provisioning method that you used to get started. You’ll also understand the major steps involved in provisioning devices for production.

Why is there a different provisioning method for production?

If you followed the Get Started Guide, you used a provisioning key that was shared by all devices. In this scenario, the OTA Connect server generates the device credentials for you. This method is fine if you’re just evaluating OTA Connect and want to get started quickly. If you want to do some serious testing and eventually move to production, you’ll probably want to switch to a more secure provisioning method.

Instead of having OTA Connect generate device certificates for you, you can use your own infrastructure to generate and sign device credentials. We call this method "provisioning with device credentials".

For a more detailed conceptual overview of the difference between the two types of provisioning, read our guide to device provisioning.

How to provision with device credentials

When you provision with device credentials, you install permanent credentials each device before the device connects to the OTA Connect server.

You would use the private key for your fleet to sign the device certificates and your fleet root certificate. You then register your fleet root certificate on the OTA Connect server.

Every time a device connects to the OTA Connect server, the server verifies that the device credentials are signed by a trusted source. It does this by comparing public key in the device certificate with the public key in your fleet root certificate. If they are both signed by the same private key, they should match and the device can be trusted. For a more detailed description of how device-credential provisioning works, see the provisioning methods overview.

To set up your environment for device credential provisioning, you need to perform the following major steps: