Device Provisioning

In this chapter, you’ll provision your device to connect to AWS IoT Core using the on-board Microchip ATTECC608 Trust&GO secure element to establish a TLS connection. The built-in hardware root of trust allows you to have a simplified and expedited provisioning path while never exposing the private key. You can retrieve the device certificate (public key) that is built into the device to create a AWS IoT thing (a representation and record of your device). The secure element’s unique serial number will be used as the client Id to register and identify the device in AWS IoT Core. You can use similar processes to automate the fleet deployment of thousands or millions of devices at a time.

If you have any other project already open in VS Code, first open a new window (FileNew Window) to have a clean file Explorer and working environment.

For this tutorial, you will use the Blinky-Hello-World project. In your new VS Code window, click the PlatformIO logo in the VS Code activity bar (left most menu), select Open from the left PlatformIO menu, click Open Project, navigate to the Core2-for-AWS-IoT-EduKit/Blinky-Hello-World folder, and click open.

PlatformIO home screen

1 - Open PIO menu, 2 - Open PIO home, 3 - Open the project folder

Retrieving the Device Certificate and Registering your AWS IoT thing

To create a secure TLS connection over MQTT to AWS IoT Core, you need to register a thing, attach the device certificate (public key) to the thing, and attach a security policy to the certificate to ensure rogue devices or rogue operations are not performed within your AWS account. With the inclusion of a secure element on the Core2 for AWS IoT EduKit reference hardware, we can automate the device registration process without ever exposing or handling sensitive private keys. Included in the project is a script that automates the process. The script retrieves the pre-provisioned device certificate from the reference hardware’s secure element, places the device certificate and additional device metadata into a manifest file and signs the manifest file with a locally generated X.509 certificate. The script then uses the Microchip TrustPlatform tools to read the manifest file from disk, verify the contents have not been tampered by checking the signature using the X.509 certificate, performs a just-in-time registration of the Microchip (secure element manufacturer) Certificate Authority (CA), registers the thing in AWS IoT with the device certificate, attaches a secure policy to the AWS IoT thing, and adds the AWS IoT MQTT broker endpoint address to the device firmware configuration. This process can be scaled to onboard tens of thousands of devices to AWS IoT at a time.

To run the registration helper script using the PlatformIO CLI terminal window:

cd Blinky-Hello-World
pio run -e core2foraws-device_reg -t register_thing

Chapter Conclusion

In this chapter, you used the secure element and registration script to create an AWS IoT thing, set up a permissions policy for your thing, and attached the device certificate to the thing. All of this was done without ever exposing the secret private key and in this way we removed a potential avenue for it to be compromised.

On to Connecting to AWS IoT Core.

Community support Report bugs