Before you can get started with implicit provisioning, you’ll need the following components:

  • A root CA certificate and private key

  • Device credentials that are signed by root CA certificate

  • The internal root CA certificate of your device gateway

The following instructions describe how you can generate these components. Getting a root CA certificate is beyond the scope of these instructions, but we can show you how to generate a self-signed certificate for testing.

To generate and install root certificates, follow these steps:
  1. Generate a root CA private key and self-signed certificate.

    If you do not have your own CA certificate for signing device certificates, you can generate a self-signed certificate for testing.

    First, create a directory structure for the keys, and grab sample configurations for the certificates from the OTA Community Edition project:

    export SERVER_NAME=myservername
    export SERVER_DIR="./${SERVER_NAME}" DEVICES_DIR="./${SERVER_NAME}/devices" CWD="${PWD}"
    mkdir -p "$DEVICES_DIR" certs
    for file in client.cnf device_ca.cnf server.ext client.ext server.cnf server_ca.cnf; do
      curl -o certs/$file https://raw.githubusercontent.com/advancedtelematic/ota-community-edition/master/scripts/certs/$file
    done

    Then, generate the key and cert using openssl on the command line:

      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/ca.key"
      openssl req -new -x509 -days 3650 -config "${CWD}/certs/server_ca.cnf" -key "${SERVER_DIR}/ca.key" \
        -out "${SERVER_DIR}/server_ca.pem"
    
      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/server.key"
      openssl req -new -config "${CWD}/certs/server.cnf" -key "${SERVER_DIR}/server.key" -out "${SERVER_DIR}/server.csr"
      openssl x509 -req -days 3650 -extfile "${CWD}/certs/server.ext" -in "${SERVER_DIR}/server.csr" -CAcreateserial \
        -CAkey "${SERVER_DIR}/ca.key" -CA "${SERVER_DIR}/server_ca.pem" -out "${SERVER_DIR}/server.crt"
      cat "${SERVER_DIR}/server.crt" "${SERVER_DIR}/server_ca.pem" > "${SERVER_DIR}/server.chain.pem"
    
      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${DEVICES_DIR}/ca.key"
      openssl req -new -x509 -days 3650 -key "${DEVICES_DIR}/ca.key" -config "${CWD}/certs/device_ca.cnf" \
        -out "${DEVICES_DIR}/ca.crt"

    This will create a ./${SERVER_DIR}/devices/ directory with the ca.crt certificate and a ca.key private key. Keep the private key safe and secure.

  2. Upload the root CA certificate to the server. To add a root CA certificate to HERE OTA Connect, contact ota-support@here.com.

  3. Generate a device certificate and key, and sign it with the root CA you just created.

    Generate a UUID for the device, and make a directory for it:

    export DEVICE_UUID=$(uuidgen | tr "[:upper:]" "[:lower:]")
    export device_id=${DEVICE_ID:-${DEVICE_UUID}} device_dir="${DEVICES_DIR}/${DEVICE_UUID}"
    mkdir -p "${device_dir}"

    Then, generate the device certificate and key using openssl:

      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${device_dir}/pkey.ec.pem"
      openssl pkcs8 -topk8 -nocrypt -in "${device_dir}/pkey.ec.pem" -out "${device_dir}/pkey.pem"
      openssl req -new -config "${CWD}/certs/client.cnf" -key "${device_dir}/pkey.pem" -out "${device_dir}/${device_id}.csr"
      openssl x509 -req -days 365 -extfile "${CWD}/certs/client.ext" -in "${device_dir}/${device_id}.csr" \
        -CAkey "${DEVICES_DIR}/ca.key" -CA "${DEVICES_DIR}/ca.crt" -CAcreateserial -out "${device_dir}/client.pem"
      cat "${device_dir}/client.pem" "${DEVICES_DIR}/ca.crt" > "${device_dir}/${device_id}.chain.pem"
      ln -s "${SERVER_DIR}/server_ca.pem" "${device_dir}/ca.pem" || true
      openssl x509 -in "${device_dir}/client.pem" -text -noout
  4. Add the internal root CA certificate of the device gateway the device will connect to. To get the device gateway’s certificate, use openssl:

    export device_gateway=your-gateway-url # for OTA Connect, looks something like
        # a3378fca-4e4c-4a5d-b1c2-d5c5ec35b3c2.tcpgw.prod01.advancedtelematic.com
    openssl s_client -connect ${device_gateway}:8000 -servername $device_gateway -showcerts | \
      sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${device_dir}/root.crt

    Once you have required credentials in place, you can enable implicit provisioning.