Create device credentials

Generate a CA certificate
Generate a device certificate

On AWS devices, you can connect to IoT core using TLS version 1.2 and Elliptic Curve Cryptography (ECC) based certificates.

For creating device credentials, you must generate the following certificates:

CA certificate
Device certificate

Generate a CA certificate 

Creating the CA certificate is a one-time operation. If you have a directory called certificates with a rootCA.pem file in it, you have already completed this step.

It is recommended to use your own Certificate Authority (CA) to create certificates for your devices since it allows generating device certificates offline.

Run the following script to generate and register a CA certificate in your AWS account:

cd ~/nrf-asset-tracker/aws
node cli create-ca

Note

The default lifetime for CA certificates is 1 year. Run node cli create-ca --help to learn how to customize the lifetime.

Generate a device certificate 

You can use the CLI to generate a certificate for your device. The firmware will use the IMEI of the device as the MQTT client ID. You can get the IMEI of your device using the AT command AT+CGSN. The IMEI is also typically printed on a sticker on the device.

Following is the output of the command:

# AT+CGSN
352656100248049 OK

Use the IMEI when generating the certificate:

 node cli create-device-cert -d "imei"

Note

The default lifetime for device certificates is 30 years. Run node cli create-device-cert --help to learn how to customize the lifetime.

Create device credentials

Generate a CA certificate

Generate a device certificate

Generate a CA certificate 

Generate a device certificate 