Fleet Provisioning by Claim

Some devices do not have the capability to accept credentials over a secure transport, and the manufacturing supply chain is not equipped to customize devices at manufacturing time. AWS IoT provides a path for these devices to receive a unique identity when they are deployed.

Device makers must load each device with a shared claim certificate in firmware. This claim certificate should be unique per batch of devices. The firmware containing the claim certificate is loaded by the contract manufacturer without the need to perform any customization. When the device establishes a connection with AWS IoT for the first time, it exchanges the claim certificate for a unique X.509 certificate signed by the AWS certificate authority and a private key.

Initial Registration

Devices that want to register to Blackbird Clouds using the Fleet Provisioning service are required to register at production time, in order to establish a white-list of allowed devices. This registration mechanism is also the only way to obtain the required claim credentials.

This registration is done through an API request to our registration service with a Factbird provided API Key with a payload containing:

{
	uuid: 'unique device ID',
	public_key: 'Base64 encoded public key used for signing',
	device_type: 'Device type given by Factbird',
}

This information is then stored by Blackbird and used to verify that the device is allowed to exchange its claim credentials for unique device credentials.

The service will then respond with a response payload of the form:

{
	certificate_id: 'String identifying the certificate',
	certificate_pem: 'PEM encoded X.509 claim certificate',
	private_key: 'Private key of the claim certificate',
}

And the claim certificate, private key and uuid will be stored in the device for obtaining and rotating device specific credentials.

The claim certificate and private key returned by this step may be identical, as the same claim credentials can be issued a number of times depending on Blackbird settings. It is important to use the claim certificate returned from the corresponding register request, as this will be checked as part of the device validation.

Device Logic

Devices must implement the logic necessary to publish and subscribe to Fleet Provisioning MQTT topics, accept the permanent credentials, and write the credentials to secure storage.

The entire provisioning flow is done through a TLS 1.2 encrypted connection.

Provisioning Flow