|
Note
|
We recommend that you view this article in our documentation portal. Not all of our articles render correctly in GitHub. |
If you’re trying to work on integrating OTA Connect into your device build, it may be helpful to have a little bit of reference information on how the different provisioning methods work together, and exactly what components are inside credentials.zip.
The following files are present in credentials.zip:
| Filename in zip | Purpose | Used by |
|---|---|---|
api_gateway.url |
URL for gateway to Director |
garage-sign |
treehub.json |
URL and OAuth2 authentication for treehub and Uptane repo |
garage-sign, garage-push, garage-deploy |
client_auth.p12 |
TLS client credentials for authentication with treehub |
garage-push, garage-deploy |
autoprov_credentials.p12 |
TLS client credentials that are required when provisioning devices with shared credentials |
aktualizr, aktualizr-cert-provider |
autoprov.url |
URL for provisioning server |
aktualizr, aktualizr-cert-provider |
root.json |
Initial Uptane root.json (for secure bootstrapping) |
garage-sign |
targets.pub |
Public key for offline Uptane image signing |
garage-sign |
targets.sec |
Private key for offline Uptane image signing |
garage-sign |
tufrepo.url |
URL to Uptane repository |
garage-sign |
As you can see, the relevant files for the device itself are autoprov_credentials.p12 and autoprov.url.
When provisioning with device credentials, OTA Connect needs to get various certificates and keys from somewhere. The following table summarizes what is needed, and where it comes from in the HSM.
| Configuration option | Where it will come from/what it does |
|---|---|
Server URL |
Read from credentials archive |
Server Root CA cert |
Read from credentials archive |
Fleet Root CA cert |
Chain of trust for a device fleet; provided by the user. Must be uploaded by user to the server. |
Fleet Root CA private key |
Key for signing device certs in the fleet; provided by user, but used only for signing. Not stored on device. |
TLS device cert |
Pre-installed in the device HSM; must be signed by Fleet Root CA private key |
TLS device key |
Pre-installed in the device HSM |
Device ID |
Read from Common Name field of TLS device cert |
Uptane public/private key |
Automatically generated by Aktualizr |
Uptane primary serial number |
Automatically generated by Aktualizr |
Primary ECU Hardware ID |
Automatically generated by Aktualizr |
|
Note
|
The "Fleet Root CA" is the one generated in step 1 of the use a Hardware Security Module to provision with device credentials. instructions. |