Device Certificate Generation
Once you have your final Fleet Root CA, you can use it to sign device certificates. You can then automate the process of installing device certificates, or generate the keys and certificate on the device and sign the cert via PKCS#10 CSR.
We can’t tell you exactly how to automate this process, but heres a recap of the steps involved.
To generate a device certificate, follow these steps
-
Generate a UUID for the device, and make a directory for it:
tag::createdevicedir[]
export SERVER_NAME=myservername export DEVICES_DIR="./${SERVER_NAME}/devices" CWD="${PWD}" export DEVICE_UUID=$(uuidgen | tr "[:upper:]" "[:lower:]") export device_id=${DEVICE_ID:-${DEVICE_UUID}} device_dir="${DEVICES_DIR}/${DEVICE_UUID}" mkdir -p "${device_dir}"
end::createdevicedir[]
+
You might want to update the line |
-
Generate a device certificate and public key, and sign it using your Fleet Root CA.
As a reference, here is the command to generate and sign a device certificate with a self-signed root certificate.
openssl ecparam -genkey -name prime256v1 | openssl ec -out "${device_dir}/pkey.ec.pem" openssl pkcs8 -topk8 -nocrypt -in "${device_dir}/pkey.ec.pem" -out "${device_dir}/pkey.pem" openssl req -new -config "${CWD}/certs/client.cnf" -key "${device_dir}/pkey.pem" -out "${device_dir}/${device_id}.csr" openssl x509 -req -days 365 -extfile "${CWD}/certs/client.ext" -in "${device_dir}/${device_id}.csr" \ -CAkey "${DEVICES_DIR}/ca.key" -CA "${DEVICES_DIR}/ca.crt" -CAcreateserial -out "${device_dir}/client.pem" cat "${device_dir}/client.pem" "${DEVICES_DIR}/ca.crt" > "${device_dir}/${device_id}.chain.pem" ln -s "${SERVER_DIR}/server_ca.pem" "${device_dir}/ca.pem" || true openssl x509 -in "${device_dir}/client.pem" -text -noout
-
Find out the address of the device gateway for your OTA Connect Account
You can get this address from the
credentials.zip
that you download from the OTA Connect Portal.You need this address to get the internal root CA certificate of the device gateway. This certificate is also necessary to provision devices.
-
If you haven’t done so already, download a provisioning key.
-
Extract the contents of the
credentials.zip
file to a local folder. -
In that folder, look for the file
autoprov
and open it with a text editor.You should see a URL that resembles the following example:
https://946f68b8-13d2-4647-b335-5a48777b5657.tcpgw.prod01.advancedtelematic.com:443
-
Make a note of this URL.
-
-
Get the device gateway’s root certificate with the following openssl command:
export device_gateway=<your-gateway-url> openssl s_client -connect ${device_gateway}:8000 -servername $device_gateway -showcerts | \ sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${device_dir}/root.crt
Replace, the placeholder
<your-gateway-url>
with URL that you noted in the previous step. -
Make a note where the actual
${device_dir}
is on your computer.You can quickly get it with the command
echo ${device_dir}
. Your device directory should resemble the following example:myservername/devices/4e7cdc4f-b7dc-4fb0-900f-a237ba3e804c/
-
Once have noted your device directory, you can install the device certificate on the device.