OTA Connect Developer Guide

Generate a self-signed fleet root certificate

When you move to production, you’ll need to register your Fleet Root certificate with OTA Connect server.

If you don’t yet have your own CA for signing device certificates, you can generate a self-signed certificate for testing.

To generate a self-signed fleet root certificate, follow these steps:
  1. Create a directory structure for your fleet. We will use this same basic directory structure in each of the sections of this guide.

    export fleet_name=myfleet
    mkdir ${fleet_name}
    mkdir ${fleet_name}/devices
  2. Create a file called fleet_root_ca.cnf inside your fleet directory to configure openSSL for generating your fleet root CA:

    cat <<EOF > ${fleet_name}/fleet_root_ca.cnf
    [req]
    prompt = no
    distinguished_name = dn
    x509_extensions = ext
    
    [dn]
    CN = \$ENV::fleet_name
    
    [ext]
    basicConstraints=CA:TRUE
    keyUsage = keyCertSign
    extendedKeyUsage = critical, serverAuth
    EOF
    All of the listed extensions in this config file are required. If your fleet root CA does not contain at least these three extensions, it will be rejected.
  3. Generate the key and cert using openssl on the command line.

    openssl ecparam -genkey -name prime256v1 | openssl ec -out "${fleet_name}/fleet_root_ca.key"
    openssl req -new -x509 -days 3650 -key "${fleet_name}/fleet_root_ca.key" -config \
      "${fleet_name}/fleet_root_ca.cnf" -out "${fleet_name}/fleet_root_ca.crt"
    These commands are designed for openssl 1.1 or higher. If you are using an older version, or if you are using LibreSSL, it may not work. Note that the default openssl provided by MacOS is LibreSSL; if you wish to try this process on a Mac you should install openssl from HomeBrew and add it to your path.
  4. Send an email to otaconnect.support@here.com with your fleet_root_ca.crt file (but not fleet_root_ca.key!), and ask us register it as a Fleet Root certificate on your OTA Connect account. Depending on your account usage we may require extra verification steps to validate the new CA.