All it works correctly, but how can I handle this in a mass production ?
I do not want to manually add to the firmware all the certs and keys and recompile the firmware for each device.
What device is it ?
I guess all that data (certificates, keys etc.) together with the program to handle it will ultimately be a flash memory image. Or what storage type do you have in mind ?
OK. So each device is unique in that it has a different set of certificates, keys etc. loaded.
Then this is not really just a manufacturing problem.
You have to give each device a unique identifier somehow (or record the inbuilt unique identifier) and make a mapping between the device unique identifier and the data set (certificates, keys etc.) that has to be loaded onto the device.
All devices will have a standard software loaded. At first start, they contacts a server and download a unique data set to complete the set up.
Tools like esptool (for ESP32 etc.) can be used to get the original standard code onto the device.
Or at least, that is how I see it. Maybe someone with more experience in mass MCU rollouts can suggest something better.
All it works correctly, but how can I handle this in a mass production ?
I do not want to manually add to the firmware all the certs and keys and recompile the firmware for each device.
Is there any general rule/advice to handle this?
Hope my question is clear enough
Your question is very clear, but you have missed the procedure to test EACH device that has been manufactured. OR do you intend to release devices that have not been tested and let the end user be your tester?
Don't know actually, I was wondering how to handle this.
My main issue is how to automatically add certs and keys onto different devices using same firmware or a tool that can do this instead of adding manually and then rebuild the firmware for each device.
After that ( if I understood correctly your reply ) there will be a test phase where I ensure that each device will connect correctly to the server, and the server will "recognize" each device with a different device cert.
Question:
server cert: will be the same for all the devices
device cert: different for all devices ( need to be added to the server right? )
What about public and private keys?
Do I need to create/handle key pair for each device?
Have to say ( but I think that it is clear ) that I'm new to TLS, certs, keys etc...
Well, if you came to me for production quantities, you would need to supply the test procedure, the test equipment and any test software necessary for me to certify the manufactured device was correctly built.
Otherwise you would have to sign a statement of acceptance of untested devices.
What tool did you use to generate the certificate for the device you are making (and its corresponding private/public key pair) ? You have got that far that you have already a working prototype which can authenticate it self with some resource (network/server etc.) ?
For the systems I have had experience with (mainly Windows), the end devices, when they require a new or initial certificate, generates a public/private key pair themselves and make a certificate request to central server, sending the public key. That server generates the actual certificate and sends it back to the requester keeping, of course a copy of the public key.
Important for security is that the private key of the device certificate is kept secret and also that the private key of the certificate issuing authority is kept secret.
I'm curious also to see what solutions are available for mass microcontroller based device rollouts are available which are practical and secure.
6v6gt:
I'm curious also to see what solutions are available for mass microcontroller based device rollouts are available which are practical and secure.
If you buy the microprocessors from Digikey, they have a programming service for them. I have had several customers use it. But not Arduinos, of course.
Paul_KD7HB:
If you buy the microprocessors from Digikey, they have a programming service for them. I have had several customers use it. But not Arduinos, of course.
Paul
That is clear that there is the possibility of a custom load of software, maybe even at manufacture. But special in this case is that every device will have its own unique certificate set installed. These certificates/keys could be around be 4KB each, although it would be good if the OP gave more specific details here.
What tool did you use to generate the certificate for the device you are making (and its corresponding private/public key pair) ? You have got that far that you have already a working prototype which can authenticate it self with some resource (network/server etc.) ?
Actually I did demo with an Onion Omega board following this tutorial: Onion AWS and I want to port this on an Arduino board or ESP32 on another server ( could be different from AWS ) but keeping mutual authentication.
The main issue is how to perform the creation and uploading of certificate/keys for each device.
I can do it manually for 10 pcs, but what if I have 10k devices?
I was wondering if there was a tool or general procedure to do this.
If you buy the microprocessors from Digikey, they have a programming service for them. I have had several customers use it. But not Arduinos, of course
Do you mean that, i.e., Digikey could sell me mcu with uploaded firmware, right?
That "Onion AWS" tutorial shows that, under an Amazon web services (AWS) account you can generate a request for one (or maybe many, using the "Create many things" option of) certificates. All this is done on a PC. Afterwards, you are going to have to download the created certificates and key sets to your devices. Each device will have a unique certificate.
Do you need to know which certificate has been allocated to a specific device in case, say, the certificate is later revoked ?
I guess you should look at (A) integrating an ESP32 or whatever your final choice of device is, with (1) your application and (2) AWS so you have a cleared idea of how the certificate has to be packaged onto each device.. Then (B) explore the bulk or batch certificate generation options available from AWS.
Is each purchaser of one of your devices expected to have their own AWS account, or can they use devices with certificates acquired under your account ?
Incidentally, a Google search for "aws arduino esp32" returned a number of hits, but I've not looked at the detail.
Do you mean that, i.e., Digikey could sell me mcu with uploaded firmware, right?
Yes! One of our recent customer's products used a microprocessor that we had no matching programming device for. We arranged for the purchase and programming with Digikey. Never had a problem/failure.