By using AWS re:Post, you agree to the Terms of Use
/AWS IoT - Provisioning devices that don't have device certificates using fleet provisioning/

AWS IoT - Provisioning devices that don't have device certificates using fleet provisioning



I have a couple of questions about the provisioning process by either trusted user or provisioning claim:

  1. If you do not want to put too much trust on the supplier, how would you provide it the ability to establish provisioning claim certificates so it can install them on the device during manufacturing?
  2. If the device is delivered and then being reset to factory settings - how the device can be recovered if the provisioning claim certificate is expired/revoked?
  3. If you choose to use the trusted-user approach, how would you connect to the device's local web server? More specifically how would you securely install TLS certificate for the device's local web server?
  4. If the IoT device is Greengrass (V2) would it make more sense to use HSM Key (e.g., USB A Yubico) just to support secure re-bootstrapping of the device (so it can load all the initial secrets/certificates/ssm-activation codes)?
1 Answers
Accepted Answer

Hi, yossico.

We don't support HSM for fleet provisioning. Using our PKCS11 module, you can use just in time registration ("JITR"). Hope that works for your use case.

These might help:

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions