How the best way to send certificates and private keys to a device?

I have a device ESP32, and I read the device-manufacturing-provisioning.pdf, but even so, I have doubts, how I can send the private keys and certificates to connect to AWS over MQTT.

I can send via BLE, using mobile SDK on IOS App demo, but, I don’t know if is the best way, because my device need only this to running, this device comes to the factory and not be able to rebuild anymore

My certificates and private keys are generated by AWS, I get this on the mobile app, and send it’s over BLE, this is what I having thought

AWS have many different ways to securely provision devices at scale. Can you please link to the pdf you reference so I can see what you are referring to. In the mean time here is a starting point for reference. (1.1 MB)

So, I have the device connected on the wifi configured with the app demo amazon-freertos-ble-ios-sdk, I have the certificates generated by AWS, How I send this to the device?

I have sent this via Custom GATT, do you recommend another way?

Did you create the project yourself or are you using a project provided by AWS or Espressif? If you are using a project created by AWS of Espressif then the project will come with instructions on how it expects the keys to be provisioned. Otherwise, assuming this is not a production device or you are just doing evaluations work, the document you posted suggests placing the key in the file system or built into the firmware as a quick and dirty method. NOTE!!! neither of those methods are secure so should not be used in production and should not be used with keys that need to be kept secret. Production devices can use one of the methods from the link in my original reply and must be provisioned with their keys in a secure manner - for example using a hardware security module at manufacture time, or by generating the keys themselves using a true random number generator as a seed. Also production devices should store the keys securely using a secure element or other secure enclave.

I’m using the demo OTA freeRTOS with my customizations, so, I used the vDevModeKeyProvisioning() that stores the certs into flash memory with A valid PKCS #11 session handle.

this is the best I had at the moment, this in develop a mode, of course, my only doubt is how to send the files to vDevModeKeyProvisioning()

But, I’ll read the link that you sent to me


So, I read the documentation that you sent to me, and the most method that serves to me is “Provisioning by trusted user”, when is this part of the documentation says:

The mobile app or web application supplies the temporary provisioning claim certificate to the device along with any required configuration information, such as Wi-Fi credentials.

The device uses the temporary provisioning claim certificate to connect to AWS IoT using the… etc …

That’s the point, to send the temporary provisioning claim certificate, I send it by BLE, my doubt if it is the best decision or I better send it with the wi-fi configuration, ex

changing the wifi demo provisioning and send it together, of course, it is still via BLE, today I am using GATT

I don’t have the condition to change my hardware at now to use hardware security module at manufacture time


Could you elaborate further on your query about provisioning using a temporary claim certificate as a trusted user ?

Is your question more towards how to integrate the solution into the existing WiFi provisioning demo over BLE ? Or are you enquiring if BLE is a best choice for sending the temporary provisioning claim certificate ?

both, I’m using “Generic Attributes Server”
to send these certificates, or do you think I change the wifi provisioning demo for send together?

because both are BLE right?

so, In the “Provisioning by trusted user” mode I have to send the temporary certificates to my device, I’m using an app provided for a user that has to install the device on the field.

I’m using amazon-freertos-ble-ios-sdk demo

because my hardware doesn’t have any certificate embed, I receive only the product(hardware) finished to install the certificates and run

And I send only the binary for the factory to put into the device, so this is the best solution that I figure out.

That’s right. It’s best recommended to have a secure element pre-provisioned with the private key or have key pair generated by the device and stored in a secure element.

Having said that, if the keys cannot be generated at manufacturing time, you can use the trusted user method (mentioned here) to get a temporary claim. Device can generate a certificate signing request, use the temporary claim to connect to AWS IoT and register the certificate.

amazon-freertos-ble-ios-sdk demo shows how to setup a cognito authentication pool in AWS and add user sign ups and sign ins. This way a trusted user can sign in and receive the temporary provisioning claim.

Its best to create a separate custom gatt service as mentioned in doc as wifi provisioning can be done even locally without connecting to cloud.

Nice, that’s what I have made, I created the custom GATT server to send any information that I need, wifi provisioning for configure the wifi, and send the certificates via custom GATT, that’s more simple than changing the wifi provisioning.

thanks for helping me