OTA Connect Developer Guide

Generate a self-signed fleet root certificate

When you move to production, you’ll need to register your Fleet Root certificate with OTA Connect server.

If you don’t yet have your own CA for signing device certificates, you can generate a self-signed certificate for testing.

To generate a self-signed fleet root certificate, follow these steps:
  1. Create a directory structure for your fleet. We will use this same basic directory structure in each of the sections of this guide.

    export fleet_name=myfleet
    mkdir ${fleet_name}
    mkdir ${fleet_name}/devices
  2. Create a file called fleet_root_ca.cnf inside your fleet directory to configure openSSL for generating your fleet root CA:

    cat <<EOF > ${fleet_name}/fleet_root_ca.cnf
    [req]
    prompt = no
    distinguished_name = dn
    x509_extensions = ext
    
    [dn]
    CN = \$ENV::fleet_name
    
    [ext]
    basicConstraints=CA:TRUE
    keyUsage = keyCertSign
    extendedKeyUsage = critical, serverAuth
    EOF
    All of the listed extensions in this config file are required. If your fleet root CA does not contain at least these three extensions, it will be rejected.
  3. Generate the key and cert using openssl on the command line.

    openssl ecparam -genkey -name prime256v1 | openssl ec -out "${fleet_name}/fleet_root_ca.key"
    openssl req -new -x509 -days 3650 -key "${fleet_name}/fleet_root_ca.key" -config \
      "${fleet_name}/fleet_root_ca.cnf" -out "${fleet_name}/fleet_root_ca.crt"
    This command string is designed for OpenSSL 1.1 or higher. If you use an older version or LibreSSL, it may not work.
  4. Send an email to otaconnect.support@here.com with your fleet_root_ca.crt file (but not fleet_root_ca.key!), and ask us register it as a Fleet Root certificate on your OTA Connect account. Depending on your account usage we may require extra verification steps to validate the new CA.