Create device credentials

On AWS devices, you can connect to IoT core using TLS version 1.2 and Elliptic Curve Cryptography (ECC) based certificates.

For creating device credentials, you must generate the following certificates:

  • CA certificate

  • Device certificate

Generate a CA certificate

Creating the CA certificate is a one-time operation. If you have a directory called certificates with a rootCA.pem file in it, you have already completed this step.

nRF Asset Tracker for AWS follows the recommendation of (using a custom Certificate Authority (CA)) which allows generating device certificates offline.

Run the following script to generate and register a CA certificate in your AWS account:

cd ~/nrf-asset-tracker/aws
./cli.sh create-ca

Note

The default lifetime for CA certificates is 1 year. Run ./cli.sh create-ca --help to learn how to customize the lifetime.

Generate and provision the device certificate

First, make sure you have Segger JLink installed in your path.

Note

Provisioning the certificates through CLI is currently not supported on WSL 2 because it lacks support for serial devices. For more information, see the issue on WSL 2.

Use the CLI to generate and provision a certificate for your device:

 ./cli.sh create-and-provision-device-cert
 # default board is the Thingy:91, use --dk to program a DK
 # when programming a Thingy:91, most likely you need to override the default port: -p /dev/ttyACM2
 # pass --help to see the additional options, for example, option that enables the use of a different secTag

Note

The default lifetime for device certificates is 30 years. Run ./cli.sh create-and-provision-device-cert --help to learn how to customize the lifetime.

This will generate a new key on the device using the %KEYGEN AT command and then sign the generated certificate using the CA certificate. The generated certificate is then provisioned onto the device. The firmware will use the IMEI of the device as the MQTT client ID.

Flashing the credentials can time out on the Thingy:91 when using USB if it is running an outdated Connectivity bridge application. The time-out happens when the CA certificate size is above the internal buffer size of the application. Make sure to update to the latest version of the Connectivity bridge application by following the Updating the firmware in the nRF52840 SoC guide.