AWS IoT - Provisioning devices that don't have device certificates using fleet provisioning

Question

Hello,

I have a couple of questions about the [provisioning process](https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html) by either trusted user or provisioning claim:

1. If you do not want to put too much trust on the supplier, how would you provide it the ability to establish provisioning claim certificates so it can install them on the device during manufacturing?
2. If the device is delivered and then being reset to factory settings - how the device can be recovered if the provisioning claim certificate is expired/revoked?
3. If you choose to use the trusted-user approach, how would you connect to the device's local web server? More specifically how would you securely install TLS certificate for the device's local web server?
4. If the IoT device is Greengrass (V2) would it make more sense to use HSM Key (e.g., [USB A  Yubico](https://www.yubico.com/il/works-with-yubikey/catalog/aws-iot-greengrass/)) just to support secure re-bootstrapping of the device (so it can load all the initial secrets/certificates/ssm-activation codes)?

Accepted Answer

Hi, yossico.

We don't support HSM for fleet provisioning. Using our PKCS11 module, you can use just in time registration ("JITR"). Hope that works for your use case.

These might help:
* https://docs.aws.amazon.com/greengrass/v2/developerguide/manual-installation.html
* https://docs.aws.amazon.com/iot/latest/developerguide/jit-provisioning.html
* https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/

AWS IoT - Provisioning devices that don't have device certificates using fleet provisioning

相關內容