Generating keys and certificates

Provisioning gives your device the keys and certificates it needs to gain access to your Device Management account.

To obtain keys and certificates for the demo, you can:

• Generate credentials using Factory Configurator Utility (FCU).
• Provide FCU with credentials from an external source.
• Use a secure element with pre-provisioned credentials.

Injecting entropy onto devices

IoT devices need entropy to perform for cryptographic operations.

You can use FCU to inject entropy onto non-TRNG (True Random Number Generator) devices - like the NUCLEO-F411RE and UIS8908A - or devices with weak entropy, by setting entropy-generation-mode to by_tool or externally_supplied in the fcu.yml file.

If you use externally-supplied entropy, you must also create an entropy file, named entropy.bin. Here is an example of how to generate an entropy file in Linux:

time dd if=/dev/urandom of=entropy.bin bs=1 count=1024

Using FCU as a CA

You can use FCU as a CA (certificate authority) when you configure it to generate the DTLS device keys, or when the device generates DTLS device keys.

1. Configure the fcu.yml file:

   1. Set device-key-generation-mode to by_tool or by_device.

   2. Fill in the device-certificate, certificate-authority and device-info sections.

      Note: For all attributes under the device-certificate section, we recommend using only the characters a-z, A-Z,0-9, '+,-.:/= and SPACE. For more information, see configuration for generation of device certificates.

      device-certificate:
        organization-name: 'dev-ON'
        organizational-unit-name: 'dev-OUN'
        locality-name: 'dev-L'
        state-or-province-name: 'dev-SN'
        country-name: 'dv'
      
      certificate-authority:
        common-name: 'CN'
        organization-name: 'ON'
        organizational-unit-name: 'OUN'
        locality-name: 'LN'
        state-or-province-name: 'SN'
        country-name: 'CO'
      
      device-info:
        manufacturer-name: 'NXP'
        device-type: 'development'
        model-number: 'K64F'
        hardware-version: 'K64F'
        memory-total: 256
        timezone: 'UTC'
      

2. Navigate to the ft_demo/sources directory.

3. To create a private key and certificate (in FCU_HOME_DIR > keystore), run:

   python ft_demo.py setup
   

   • When FCU is not an intermediate CA, the expected FCU output in the console is:

     The fcu certificate was created successfully at c:\tools\factory_configurator_utility\keystore\fcu.crt
     Please note the certificate must be uploaded to the portal
     OPERATION COMPLETED SUCCESSFULLY
     

   • When FCU is an intermediate CA (when the setup-ca-as-intermediate parameter in the fcu.yml file is true), the setup command creates a CSR named fcu_csr.pem.

     In this case, the expected FCU output in the console is:

     The FCU CSR was created successfully at c:\tools\factory_configurator_utility\keystore\fcu_csr.pem. Please sign the generated CSR, and save created certificate as 'c:\tools\factory_configurator_utility\keystore\fcu.crt'.
     Please note the certificate must be uploaded to the portal
     OPERATION COMPLETED SUCCESSFULLY
     

     Use your certificate authority to sign the CSR, and provide the generated certificate-chain to FCU as predefined file name fcu.crt.

4. Upload your certificate file to Device Management Portal.

Using your own CA

In this mode, you use your own device private key and certificate as resources:

1. In fcu.yml, set device-key-generation-mode to externally_supplied.

2. Create a new folder and place your resources there. You can use your own files:

   • BootstrapDevicePrivateKey.der or BootstrapDevicePrivateKey.pem: A private key in the NIST P-256 (secp256r1) cipher.
   • BootstrapDeviceCert.der or BootstrapDeviceCert.pem: A certificate, using the X.509 standard.

   Note: Make sure you use FCU-compatible certificates.

3. Make a note of the folder path; you will need it when you inject to the device later in this demo.

4. Upload your certificate file to Device Management Portal.

Using an ATECC608A secure element

You can use the default pre-provisioned keys and certificates on the ATECC608A secure element, or you can emulate the production flow of signing the pre-provisioned credentials with your own CA using Trust Platform Design Suite.

Warning: Use the secure element credentials described in this document for development purposes only. For production you must order secure elements with pre-provisioned credentials signed by your own CA.

To use the default pre-provisioned credentials:

1. In fcu.yml, set device-key-generation-mode parameter to pre_provisioned.
2. Upload the CA certificate file to Device Management Portal.
   The default-root-ca.crt CA certificate is located in the factory-configurator-client-example/mbed-cloud-client-platform-common/secure_element/se_atmel_credentials folder.
   

To emulate the production flow of signing the pre-provisioned credentials with your own CA:

1. In fcu.yml, set the device-key-generation-mode parameter to pre_provisioned.
2. Connect the DM320118 development kit to your PC with a USB cable. Disconnect the male-to-male jumper wires from the DM320118 kit, if connected.
3. Install Trust Platform Design Suite and follow the instructions to create a new CA and credentials. This creates a number of files in the TrustFLEX/00_resource_generation folder folder:
   • cust_def_1_signer.c
   • cust_def_1_signer.h
   • cust_def_2_device.c
   • cust_def_2_device.h
   • root-ca.crt
4. Copy the .c and .h files from the TrustFLEX/00_resource_generation folder folder to your factory-configurator-client-example/mbed-cloud-client-platform-common/secure_element/se_atmel_credentials folder; if the files already exist, overwrite them.
5. Upload the root-ca.crt CA certificate file to Device Management Portal.