Create device credentials¶
On AWS devices, you can connect to IoT core using TLS version 1.2 and Elliptic Curve Cryptography (ECC) based certificates.
For creating device credentials, you must generate the following certificates:
- CA certificate
- Device certificate
Generate a CA certificate¶
Creating the CA certificate is a one-time operation.
If you have a directory called certificates with a rootCA.pem file in it, you have already completed this step.
It is recommended to use your own Certificate Authority (CA) to create certificates for your devices since it allows generating device certificates offline.
Run the following script to generate and register a CA certificate in your AWS account:
cd ~/nrf-asset-tracker/aws
node cli create-ca
Note
The default lifetime for CA certificates is 1 year.
Run node cli create-ca --help to learn how to customize the lifetime.
Generate and provision the device certificate¶
First, make sure you have Segger JLink installed in your path.
Note
Provisioning the certificates through CLI is currently not supported on WSL 2 because it lacks support for serial devices. For more information, see the issue on WSL 2.
Use the CLI to generate and provision a certificate for your device:
node cli create-and-provision-device-cert
# default secTag is 42
# default board is the Thingy:91, use --dk to program a DK
# when programming a Thingy:91, most likely you need to override the default port: -p /dev/ttyACM2
# pass --help to see the additional options, for example, option that enables the use of a different secTag
Note
The default lifetime for device certificates is 30 years.
Run node cli create-and-provision-device-cert --help to learn how to customize the lifetime.
This will generate a new key on the device using the %KEYGEN AT command and then sign the generated certificate using the CA certificate.
The generated certificate is then provisioned onto the device.
The firmware will use the IMEI of the device as the MQTT client ID.