Device Provisioning

In this chapter, you’ll provision the device for connectivity to AWS IoT Core using the on-board Microchip ATTECC608 Trust&GO secure element to establish a TLS connection. The built-in hardware root of trust allows you to have a simplified and expedited provisioning path while never exposing the private key. You can retrieve the device certificate (public key) that is built into the device to create a AWS IoT thing (a representation and record of your device). The secure element’s unique serial number will be used as the client Id to register and identify the device in AWS IoT Core. You can use similar processes to automate the fleet deployment of thousands or millions of devices at a time.

If you have any other project already open in VS Code, first open a new window (FileNew Window) to have a clean file Explorer and working environment.

For this tutorial, you will use the Blinky-Hello-World project. In your new VS Code window, click the PlatformIO logo in the VS Code activity bar (left most menu), select Open from the left PlatformIO menu, click Open Project, navigate to the Core2-for-AWS-IoT-EduKit/Blinky-Hello-World folder, and click open.

PlatformIO home screen

1 - Open PIO menu, 2 - Open PIO home, 3 - Open the project folder

Retrieving the Device Certificate and Registering your AWS IoT thing

To perform a secure TLS connection over MQTT to AWS IoT Core, you need to register a thing, attach the device certificate (public key) to the thing, and attach a security policy to the certificate to ensure rogue devices or rogue operations are not performed within your AWS account. With the inclusion of a secure element on the Core2 for AWS IoT EduKit reference hardware, we can automate the entire device registration without ever exposing or handling sensitive private keys. Included in the project is a script that automates the process of retrieving the pre-provisioned device certificate from the reference hardware’s secure element, generates a device manifest by signing the device certificate with an X.509 certificate, performs a just-in-time registration of the Microchip (secure element manufacturer) CA, registers the thing in AWS IoT with the device certificate, and attaches a secure policy to the AWS IoT thing.

To run the provided script using the PlatformIO CLI terminal window, expand the instructions for your host machine’s OS:

Ubuntu or macOS

Chapter Conclusion

In this chapter, you used the secure element and registration script to create an AWS IoT thing, set up a permissions policy for your thing, and attached the device certificate to the thing. All of this was done without ever exposing the secret private key and removing a potential avenue for it to be compromised.

On to Connecting to AWS IoT Core.

Report bugs Community support