Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Necessary steps for JITP of IoT devices.

0

Hi, We're just about to ramp up a major IoT project where we'll produce +100k devices with LTE, GPS and a few sensors. We going to use SoC's from Nordic Semiconductor and of course AWS IoT core, device management, events and analytics.

What I'm not that familiar with is certificates and the auth process. What I do know is that Nordic Semiconductor has their own cloud solution built on AWS (which we're not going to use) so AWS IoT should in theory be a good fit.

I found this sample repo from AWS which does certificate signing, rotation ++ https://github.com/aws-samples/iot-device-on-boarding/blob/master/README.md

Is all this necessary or is there a simpler process where we can just sign the manufacturer certificate upon first connection and automagically create a thing from that?

Thanks in advance for any clearification :)

And a happy new year!

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
asked a year ago168 views
1 Answer
0

Hi. That repo is a bit old and does extra stuff like certificate rotation. Key links:

I would say there are two major considerations to determine the right provisioning method:

  1. When should each device get a unique certificate and private key?
  2. When should each device be registered in the AWS account?

Very simplified high level:

  • Factory + factory = single thing provisioning (or scripted by API calls)
  • Factory + field = JITP / JITR
  • Field + field = fleet provisioning

There is much more nuance than that, but it's a good starting point.

JITP requires each device to already have a unique certificate before it comes online. You also need to register your CA with AWS IoT Core. And create a provisioning template that defines how AWS IoT Core should register the Thing when it connects for the first time.

To decide if each device can get unique credentials in the factory, you need to consider factors like internet connectivity, PKI setup, whether the device uses HSMs or secure elements, and whether you trust the manufacturer.

AWS
EXPERT
answered a year ago
  • perage
    a year ago

    Hi Greg! Thanks for your help! I think we safely can use single thing provisioning. Our hw developer would like to generate private keys themselves and provide a CSR to AWS. From what I can see, the STP should support that, but do I have to pre-sign something on the device, or can we still utilize ONLY the RegisterThing API to get from A to Z?

    I created a simple lambda to call the RegisterThing API using the nodeJs. (https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iot/command/RegisterThingCommand/) I was hoping i could just refer to a pre-created provisoning template in IoT-core, but it seems that I have to create the template in the lambda itself and parse it to JSON.

    Any ideas on best practices here?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content