If you’re trying to work on integrating HERE OTA Connect into your device build, it may be helpful to have a little bit of reference information on how the different provisioning methods work together, and what exactly the magic sauce inside credentials.zip is.

credentials.zip file format

First, a table:

Filename in zip Purpose Used by

treehub.json

Location and authentications for treehub and Uptane repo

garage-sign, garage-push

client.crt

Certificate for TLS client authentication

garage-push

client.key

Private key for TLS client authentication

garage-push

root.crt

Root CA for TLS client authentication

garage-push

autoprov_credentials.p12

TLS client credentials for automatic device provisioning

aktualizr, aktualizr_cert_provider, aktualizr_implicit_writer

autoprov.url

URL for automatic provisioning server

aktualizr, aktualizr_cert_provider, aktualizr_implicit_writer

root.json

Initial Uptane root.json (for secure bootstrapping)

garage-sign

targets.pub

Public key for offline Uptane image signing

garage-sign

targets.sec

Private key for offline Uptane image signing

garage-sign

tufrepo.url

URL to Uptane repository

garage-sign

As you can see, the relevant files for the device itself are autoprov_credentials.p12 and autoprov.url.

When you turn on implicit provisioning via HSM, the implicit_writer function in meta-updater takes over. The initial credentials on the device won’t be valid; this is why you need to copy in the generated ones after booting it.

Implicit provisioning required configuration options

More generally, implicit provisioning needs to get various certificates and keys from somewhere. This table summarizes what is needed, and where it comes from in the HSM implicit provisioning case.

Configuration option Where it will come from/what it does

Server URL

Read from credentials archive

Server Root CA cert

Read from credentials archive

Fleet Root CA cert

Chain of trust for a device fleet; provided by the user. Must be uploaded by user to the server.

Fleet Root CA private key

Key for signing device certs in the fleet; provided by user, but used only for signing. Not stored on device.

TLS device cert

Pre-installed in the device HSM; must be signed by Fleet Root CA private key

TLS device key

Pre-installed in the device HSM

Device ID

Read from Common Name field of TLS device cert

Uptane public/private key

Automatically generated by Aktualizr

Uptane primary serial number

Automatically generated by Aktualizr

Primary ECU Hardware ID

Automatically generated by Aktualizr

The "Fleet Root CA" is the one generated in step 1 of the implicit provisioning via HSM instructions.