OTA Connect Developer Guide

Device Certificate Generation

Once you have your final Fleet Root CA, you can use it to sign device certificates. You can then automate the process of installing device certificates, or generate the keys and certificate on the device and sign the cert via PKCS#10 CSR.

We can’t tell you exactly how to automate this process, but heres a recap of the steps involved.

To generate a device certificate, follow these steps

  1. Generate a UUID for the device, and make a directory for it:

export SERVER_NAME=myservername
export DEVICES_DIR="./${SERVER_NAME}/devices" CWD="${PWD}"
export DEVICE_UUID=$(uuidgen | tr "[:upper:]" "[:lower:]")
export device_id=${DEVICE_ID:-${DEVICE_UUID}} device_dir="${DEVICES_DIR}/${DEVICE_UUID}"
mkdir -p "${device_dir}"



You might want to update the line export DEVICE_UUID= and update it to reflect your own schema for generating device IDs. Currently this command generates a random ID.

  1. Generate a device certificate and public key, and sign it using your Fleet Root CA.

    As a reference, here is the command to generate and sign a device certificate with a self-signed root certificate.

      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${device_dir}/pkey.ec.pem"
      openssl pkcs8 -topk8 -nocrypt -in "${device_dir}/pkey.ec.pem" -out "${device_dir}/pkey.pem"
      openssl req -new -config "${CWD}/certs/client.cnf" -key "${device_dir}/pkey.pem" -out "${device_dir}/${device_id}.csr"
      openssl x509 -req -days 365 -extfile "${CWD}/certs/client.ext" -in "${device_dir}/${device_id}.csr" \
        -CAkey "${DEVICES_DIR}/ca.key" -CA "${DEVICES_DIR}/ca.crt" -CAcreateserial -out "${device_dir}/client.pem"
      cat "${device_dir}/client.pem" "${DEVICES_DIR}/ca.crt" > "${device_dir}/${device_id}.chain.pem"
      ln -s "${SERVER_DIR}/server_ca.pem" "${device_dir}/ca.pem" || true
      openssl x509 -in "${device_dir}/client.pem" -text -noout
  2. Find out the address of the device gateway for your OTA Connect Account

    You can get this address from the credentials.zip that you download from the OTA Connect Portal.

    You need this address to get the internal root CA certificate of the device gateway. This certificate is also necessary to provision devices.

    1. If you haven’t done so already, download a provisioning key.

    2. Extract the contents of the credentials.zip file to a local folder.

    3. In that folder, look for the file autoprov and open it with a text editor.

      You should see a URL that resembles the following example:


    4. Make a note of this URL.

  3. Get the device gateway’s root certificate with the following openssl command:

    export device_gateway=<your-gateway-url>
    openssl s_client -connect ${device_gateway}:8000 -servername $device_gateway -showcerts | \
      sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${device_dir}/root.crt

    Replace, the placeholder <your-gateway-url> with URL that you noted in the previous step.

  4. Make a note where the actual ${device_dir} is on your computer.

    You can quickly get it with the command echo ${device_dir}. Your device directory should resemble the following example:


  5. Once have noted your device directory, you can install the device certificate on the device.