How the best way to send certificates and private keys to a device?

Hello,
I have a device ESP32, and I read the device-manufacturing-provisioning.pdf, but even so, I have doubts, how I can send the private keys and certificates to connect to AWS over MQTT.

I can send via BLE, using mobile SDK on IOS App demo, but, I don’t know if is the best way, because my device need only this to running, this device comes to the factory and not be able to rebuild anymore

My certificates and private keys are generated by AWS, I get this on the mobile app, and send it’s over BLE, this is what I having thought

AWS have many different ways to securely provision devices at scale. Can you please link to the pdf you reference so I can see what you are referring to. In the mean time here is a starting point for reference.

device-manufacturing-provisioning.pdf.zip (1.1 MB)

So, I have the device connected on the wifi configured with the app demo amazon-freertos-ble-ios-sdk, I have the certificates generated by AWS, How I send this to the device?

I have sent this via Custom GATT, do you recommend another way?

Did you create the project yourself or are you using a project provided by AWS or Espressif? If you are using a project created by AWS of Espressif then the project will come with instructions on how it expects the keys to be provisioned. Otherwise, assuming this is not a production device or you are just doing evaluations work, the document you posted suggests placing the key in the file system or built into the firmware as a quick and dirty method. NOTE!!! neither of those methods are secure so should not be used in production and should not be used with keys that need to be kept secret. Production devices can use one of the methods from the link in my original reply and must be provisioned with their keys in a secure manner - for example using a hardware security module at manufacture time, or by generating the keys themselves using a true random number generator as a seed. Also production devices should store the keys securely using a secure element or other secure enclave.

I’m using the demo OTA freeRTOS with my customizations, so, I used the vDevModeKeyProvisioning() that stores the certs into flash memory with A valid PKCS #11 session handle.

this is the best I had at the moment, this in develop a mode, of course, my only doubt is how to send the files to vDevModeKeyProvisioning()

But, I’ll read the link that you sent to me

@rtel

So, I read the documentation that you sent to me, and the most method that serves to me is “Provisioning by trusted user”, when is this part of the documentation says:

https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#trusted-user

…
The mobile app or web application supplies the temporary provisioning claim certificate to the device along with any required configuration information, such as Wi-Fi credentials.

The device uses the temporary provisioning claim certificate to connect to AWS IoT using the… etc …
…

That’s the point, to send the temporary provisioning claim certificate, I send it by BLE, my doubt if it is the best decision or I better send it with the wi-fi configuration, ex

changing the wifi demo provisioning and send it together, of course, it is still via BLE, today I am using GATT

I don’t have the condition to change my hardware at now to use hardware security module at manufacture time

Hi,

Could you elaborate further on your query about provisioning using a temporary claim certificate as a trusted user ?

Is your question more towards how to integrate the solution into the existing WiFi provisioning demo over BLE ? Or are you enquiring if BLE is a best choice for sending the temporary provisioning claim certificate ?

both, I’m using “Generic Attributes Server”
https://docs.aws.amazon.com/freertos/latest/userguide/ble-demo.html#ble-demo-server
to send these certificates, or do you think I change the wifi provisioning demo for send together?

because both are BLE right?

…

so, In the “Provisioning by trusted user” mode I have to send the temporary certificates to my device, I’m using an app provided for a user that has to install the device on the field.

I’m using amazon-freertos-ble-ios-sdk demo

because my hardware doesn’t have any certificate embed, I receive only the product(hardware) finished to install the certificates and run

And I send only the binary for the factory to put into the device, so this is the best solution that I figure out.

That’s right. It’s best recommended to have a secure element pre-provisioned with the private key or have key pair generated by the device and stored in a secure element.

Having said that, if the keys cannot be generated at manufacturing time, you can use the trusted user method (mentioned here) to get a temporary claim. Device can generate a certificate signing request, use the temporary claim to connect to AWS IoT and register the certificate.

amazon-freertos-ble-ios-sdk demo shows how to setup a cognito authentication pool in AWS and add user sign ups and sign ins. This way a trusted user can sign in and receive the temporary provisioning claim.

Its best to create a separate custom gatt service as mentioned in doc as wifi provisioning can be done even locally without connecting to cloud.

Nice, that’s what I have made, I created the custom GATT server to send any information that I need, wifi provisioning for configure the wifi, and send the certificates via custom GATT, that’s more simple than changing the wifi provisioning.

thanks for helping me

@luk4z_7 Hi! Can you publish a demo of what you have made? As Amazon doesn’t have any demo for trusted user provisioning, this will be really helpful to me and the community

even I am trying to do provisioning using CSR on my ESP32. Any help on how it can be done on ESP32?

So, I have made some tests, and I have configured the CUSTOM GATT on ESP32, this enables to send data between IOS mobile demo and the microcontroller, today I don’t still generate the temporary token into the IOS mobile demo yet, because I’m implementing before all the process on the microcontroller to communicate with IOT Core and generate the new certificate and register, but if I send data into IOS demo with CUSTOM GATT I can send the certificate in another moment, we can try to generate this on the server with another SDK with another language, or using IOS SDK, but today I’ve been generating this on the terminal with the CLI application,

you have to create a template on IOT Core > Onboard > Fleet provisioning templates > create, then execute this on the terminal, of course, you need to configure awscli before,

I created the simple shell, you need the jq , awscli installed

#! /bin/bash   aws iot create-provisioning-claim --template-name YOURNAME > create-provisioning-claim.json && cat create-provisioning-claim.json | jq -r '.keyPair.PrivateKey' > $(pwd)/1-provisioningClaimPrivateKey.pem && cat create-provisioning-claim.json | jq -r '.certificatePem' > $(pwd)/1-provisioningClaimCertificatePem.pem

so, these certificates are temporary for 5 minutes, you put this into the “aws_clientcredential_keys.h” compile and send to the microcontroller, with this certificate you can communicate with the IOTCore for register the new certificate and “thing” , for this communication I used the demo “MQTT” to send to this topic “$aws/certificates/create/json” and subscribe on this for receiving the response “$aws/certificates/create/json/accepted”, so this returns the new certificate, now you have to register the “thing” ,

After saving the permanent certificate on the device, the device must disconnect from the session that is initiated with the temporary provisioning claim certificate and reconnect using the permanent certificate.

I made few tests with a certificate and implementing vModeKeyProvisioning , when you receive the new certificate you pass to this function for sending to the flash memory, now you are ready for using this on new topics “MQTT” ,

I’ve been testing this, and it’s work, I’ve implementing until the part of the generate the new certificate, and it’s work, now I have to test the thing register, but I think it’s ok, of course, I have to finish the generation of the temporary certification on mobile to send the microcontroller

every this is coverage on the documentation here

I dont have any special custom implementation, I has used the demos the has with the freertos