Register the root certificate for your fleet |
-
If you followed our recommendations, you should have separate environments for development, testing, and production.
-
You might have already registered a self-signed root certificate with your test environment.
However, regardless of the type of certficate that you use, you’ll need to register a new certificate with your production environment.
|
|
Generate, sign, and install production device certs |
-
Once you have your production Fleet Root CA, you can use it to sign device certificates.
You can then automate the process of either generating the device certificates on your devices and getting them signed via PKCS#10 CSR, or of generating and signing the keys and certs externally, and then installing them into a secure place on each device.
-
We can’t tell you exactly how to automate this process, but you can use the commands from our documentation as a guideline.
|
|
Rotate production keys |
-
In line with our security concept, we recommend that you sign the software version with secure, offline keys.
-
Even if you’ve done this already in a test environment, you need to do it again with a credentials.zip file from your production environment.
-
You should keep these keys on a secure storage medium such as a YubiKey. Only plug in your YubiKey when you need to sign metadata on your local computer.
|
|
Transfer disk images to your production repository |
|
|
Create production-ready client configuration |
|
|