AWS IoT - Provisioning devices that don't have device certificates using fleet provisioning
I have a couple of questions about the provisioning process by either trusted user or provisioning claim:
- If you do not want to put too much trust on the supplier, how would you provide it the ability to establish provisioning claim certificates so it can install them on the device during manufacturing?
- If the device is delivered and then being reset to factory settings - how the device can be recovered if the provisioning claim certificate is expired/revoked?
- If you choose to use the trusted-user approach, how would you connect to the device's local web server? More specifically how would you securely install TLS certificate for the device's local web server?
- If the IoT device is Greengrass (V2) would it make more sense to use HSM Key (e.g., USB A Yubico) just to support secure re-bootstrapping of the device (so it can load all the initial secrets/certificates/ssm-activation codes)?
We don't support HSM for fleet provisioning. Using our PKCS11 module, you can use just in time registration ("JITR"). Hope that works for your use case.
These might help:
Greengrass v2 fleet provisioning in dockerAccepted Answerasked 8 months ago
Just in time provisioning for Greengrass v2 core devicesAccepted Answerasked 6 months ago
Greengrass v2 fleet provisioning retry in case of lack of the Internet connection.Accepted Answerasked 3 months ago
Pushing Deployment to device provisioning a second timeAccepted Answerasked 3 months ago
Fleet Provisioning of GGv2 devicesasked a year ago
Connection Interruption Error during Fleet Provisioningasked a year ago
Fleet Provisioning -- Greengrass Core installation Issueasked 8 months ago
Device registration via JITP w/ pre-provisioning hookasked 4 months ago
AWS IoT Fleet Provisioning doesn't publish certificate responseasked 2 years ago
AWS IoT - Provisioning devices that don't have device certificates using fleet provisioningAccepted Answerasked a month ago