How to embed JITP in your microcontroller for mass production

I’m trying to get an application running in amazon freertos that uses the just in time provisioning mechanism to allow provisioning of a fleet of devices.

I have run successfully the steps on and connected to my endpoint using mosquitto and JITP. However when I try to use deviceCertAndCACert.crt as keyCLIENT_CERTIFICATE_PEM and deviceCert.key as keyCLIENT_PRIVATE_KEY_PEM in the demo, my device does not provision.

My idea is to generate the device certificates and keys for each device at manufacturing using the same CA certificate.

My questions are:

  1. Which is the best method for JITP for mass production devices?
  2. How to use device certificates generated in in Amazon FreeRTOS

Hello @jpfaguirre regarding your second question, please ensure that you’re setting keyCLIENT_CERTIFICATE_PEM, keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM, and keyCLIENT_PRIVATE_KEY_PEM in aws_clientcredential_keys.h.

Referencing, keyCLIENT_CERTIFICATE_PEM should be defined to the contents of deviceCert.crt (encoded as PEM); keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM should be defined to the contents of rootCA.pem; and keyCLIENT_PRIVATE_KEY_PEM should be defined to the contents of deviceCert.key (encoded as PEM).

An alternative set of instructions, more specific to FreeRTOS, can be found in the Option #2 section of

More generally, keep in mind that the device only needs to include the JIT issuer certificate on the first connection attempt. Once the device certificate has been successfully registered as a result of that, the device can stop sending the issuer cert in its TLS connection requests. However, it’s fine to keep sending it anyway. Also, on that first connection attempt, even when registration is successful, the AWS IoT MQTT gateway will disconnect the TCP connection. Therefore, the device app must be programmed in such a way as to anticipate that and reconnect.