OTA Connect Developer Guide

Provisioning methods and credentials.zip

If you’re trying to work on integrating OTA Connect into your device build, it may be helpful to have a little bit of reference information on how the different provisioning methods work together, and exactly what components are inside credentials.zip.

credentials.zip file format

The following files are present in credentials.zip:

Filename in zip Purpose Used by


URL for gateway to Director



URL and OAuth2 authentication for treehub and Uptane repo

garage-sign, garage-push, garage-deploy


TLS client credentials for authentication with treehub

garage-push, garage-deploy


TLS client credentials that are required when provisioning devices with shared credentials

aktualizr, aktualizr-cert-provider


URL for provisioning server

aktualizr, aktualizr-cert-provider


Initial Uptane root.json (for secure bootstrapping)



Public key for offline Uptane image signing



Private key for offline Uptane image signing



URL to Uptane repository


As you can see, the relevant files for the device itself are autoprov_credentials.p12 and autoprov.url.

Configuration options for provisioning with device credentials

When provisioning with device credentials, OTA Connect needs to get various certificates and keys from somewhere. The following table summarizes what is needed, and where it comes from in the HSM.

Configuration option Where it will come from/what it does

Server URL

Read from credentials archive

Server Root CA cert

Read from credentials archive

Fleet Root CA cert

Chain of trust for a device fleet; provided by the user. Must be uploaded by user to the server.

Fleet Root CA private key

Key for signing device certs in the fleet; provided by user, but used only for signing. Not stored on device.

TLS device cert

Pre-installed in the device HSM; must be signed by Fleet Root CA private key

TLS device key

Pre-installed in the device HSM

Device ID

Read from Common Name field of TLS device cert

Uptane public/private key

Automatically generated by Aktualizr

Uptane primary serial number

Automatically generated by Aktualizr

Primary ECU Hardware ID

Automatically generated by Aktualizr

The "Fleet Root CA" is the one generated in step 1 of the use a Hardware Security Module to provision with device credentials. instructions.