Create device credentials
For creating device credentials, you must generate the following certificates:
CA root certificate
CA intermediate certificate
Device certificate
Generate a CA root certificate
Note
Make sure that you have exported the right resource group name as $RESOURCE_GROUP.
By default, it is set to nrfassettracker.
To create a CA root certificate and register it with the Azure IoT Device Provisioning Service, run the following command:
./cli.sh create-ca-root
Note
The default lifetime for root CA certificates is 1 year.
Run ./cli.sh create-ca-root --help to learn how to customize the lifetime.
Do not share the CA root certificate. The number of CA root certificates is typically very small, and the minimum number of certificates required is one.
Provide the proof of your ownership of the CA with the following command:
./cli.sh proof-ca-root-possession
Note
If you see the error A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file., confirm that your system clock is accurate.
Generate a CA intermediate certificate
To create a CA intermediate certificate and an enrollment group for it, run the following command:
./cli.sh create-ca-intermediate
Note
The default lifetime for intermediate CA certificates is 1 year.
Run ./cli.sh create-ca-intermediate --help to learn how to customize the lifetime.
You can share the CA intermediate certificate with the factory. You will have multiple intermediate certificates over time.
Generate and provision the device certificate
First, make sure you have Segger JLink installed in your path.
Note
Provisioning the certificates through CLI is currently not supported on WSL 2 because it lacks support for serial devices. For more information, see the issue on WSL 2.
Use the CLI to generate and provision a certificate for your device:
./cli.sh create-and-provision-device-cert
# default board is the Thingy:91, use --dk to program a DK
# when programming a Thingy:91, most likely you need to override the default port: -p /dev/ttyACM2
# pass --help to see the additional options, for example, option that enables the use of a different secTag
Note
The default lifetime for device certificates is 30 years.
Run ./cli.sh create-and-provision-device-cert --help to learn how to customize the lifetime.
This will generate a new key on the device using the %KEYGEN AT command and then sign the generated certificate using the CA certificate.
The generated certificate is then provisioned onto the device.
The firmware will use the IMEI of the device as the MQTT client ID.
Flashing the credentials can time out on the Thingy:91 when using USB if it is running an outdated Connectivity bridge application. The time-out happens when the CA certificate size is above the internal buffer size of the application. Make sure to update to the latest version of the Connectivity bridge application by following the Updating the firmware in the nRF52840 SoC guide.