Device provisioning - JITP and JITR

dmh24 wrote on September 13, 2019:

Hi, I have a question around device provisioning after struggling with JITP a little bit

We have an older programmatic style setup already, which relies on createThing + createCertificateFromCsr java call to get a locally generated certificate signed and in AWS side. I do not see any equivalent functionality in the freertos c sdk, right - this means only JITP, or at least using CA on device is supported?

Additionally the JITP code has changed a few times since I started implementing it, just want to make sure this is the direction its going:

1 - CA must be baked into flash/loaded from somewhere
2 - create certificates locally if not present
3 - first connect sends CA + local certs for JITP
4 - certs saved once provisioning flow done and device registered?

Thanks for any further details!

DanG-AWS wrote on September 19, 2019:

Hello. Regarding createThing and createCertificateFromCsr, that is a supported mechanism for obtaining AWS IoT client certificates for Amazon FreeRTOS. However, those are considered to be “control plane” operations, and authenticated by some type of deployment administrator login, and therefore not something that would typically be executed on a microcontroller based device. Those APIs have been added to our Java SDK, but not to our Embedded C SDK, for that reason.

Technically, you could use the above for lab testing on an Amazon FreeRTOS device by generating a keyset on your PC (e.g. using openssl), completing the steps above, and then importing that keyset and the issued certificate onto your device.

Regarding your other points:

1/ Yes.

2/ Yes. Please also see https://github.com/aws/amazon-freertos/blob/master/demos/dev_mode_key_provisioning/README.md.

3/ Yes: the AWS IoT gateway needs the client certificate as well as the issuing CA certificate during the first connection attempt in the JITR scenario in order to route the request correctly. However, once JITR has completed and the device certificate is activated, the device no longer needs to send the CA certificate during MQTT broker connection attempts.

4/ Yes, per #3, above.