Overview
It is one of the device provisioning ways by AWS for provisioning a device and install unique certificates on it. Devices get shipped with a claim certificate and private key embedded in them. The claim certificate and the private key are shared by all of the devices, it serves a special purpose.
The device uses the claim certificate to generate a unique certificate and its associated private key. It then gets registered as a thing by the associated provisioning template on AWS IoT.
Provisioning setup
- Create a policy for the claim certificate
- Create a claim certificate & attach its policy
- Create a fleet policy
- Create provisioning template
Generate device certificate
- Subscribe to certificate create response topics (success & error response)
- Publish to create certificate request topic
Register as a thing
- Subscribe to Provisioning Templates response topics (success & error response)
- Publish message with template parameters to provision request topic
Provisioning setup
Create a policy for the claim certificate
Sign in to the AWS Management Console, open the AWS IoT consoleIn the left navigation pane, choose Secure , choose Policies, and then click Create . Enter a name for the AWS IoT policy (for example, esp32_claim_policy).- In the Add Statements, select Advanced Mode.
- Copy the Policy for claim certificate: JSON shown below and replace the following values
<aws-region>, <aws-account-id>with your AWS region, account number. - Provide a unique
<templateName>(for example,esp32_fleet_prov_template Click Create.
Policy for claim certificate:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<aws-region>:<aws-account-id>:topic/$aws/certificates/create/*",
"arn:aws:iot:<aws-region>:<aws-account-id>:topic/$aws/provisioning-templates/<templateName>/provision/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/$aws/certificates/create/*",
"arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/$aws/provisioning-templates/<templateName>/provision/*"
]
}
]
}Create a claim certificate & attach its policy
Open the AWS IoT consoleIn the left navigation pane, choose Secure , choose Certificates , and then click Create . Choose One-click certificate creation (recommended) – Create certificate . From the Certificate created! page, download the client certificate files, public key, private key, and Amazon Root CA( Amazon Root CA 1 Choose Activateto activate the client certificate now. - Choose Attach policy, search for the policy created in the earlier section (
esp32_claim_policy). Choose Done.
Create a fleet policy
Open the AWS IoT consoleIn the left navigation pane, choose Secure , choose Policies , and then click Create . Enter a name for the AWS IoT policy (for example, esp32_fleet_policy ). - In the Add Statements, select Advanced Mode.
- Copy Policy for the fleet: JSON shown below and replace the following values
<aws-region> & <aws-account-id>with your AWS region and account number.
Policy for the fleet:
{
"Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" },
{ "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" },
{ "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" },
{ "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iot:<aws-region>:<aws-account-id>:*" }
]
}Create a Fleet Provisioning Template
Open the AWS IoT consoleIn the left navigation pane, choose Connect , choose Fleet provisioning templates , and then click Create . - Click Get Started.
- In the Create your template page
- Enter template name used earlier section
( esp32_fleet_prov_template ) and description. - In the Provisioning Role
- Click Create Role, then provide a name to the provisioning role
(for example, esp32_fleet_prov_role ) - Under Optional Settings, check the Use the AWS IoT registry to manage your device fleet option
- Click Next
- In the Define AWS IoT policies page
- Select Use an existing AWS IoT policy
- In the Search policies, enter the fleet policy name (
esp32_fleet_policy) created in the previous section - Click Next
- In the Define AWS IoT registry settings
- Add Thing name prefix (for example,
esp32dkc_) - (Optional) In the Select a group
- Add a group name (for example,
esp32dkc_group), and thenclick Create thing group. Click Create template.- In the Give certificates or users permission to provision devices
- In Use provisioning claim, select Use a certificate previously generated by AWS IoT
- Select the claim certificate created in the earlier section
- Note: Don’t click Attach Policy, as we have already linked in previous sections. Otherwise, the certificate will have a duplicate policy attached.
- Click Enable template
- Click Close
You have to set up the AWS Side of things first before you proceed with device-side setup. That’s because the device uses a claim certificate to connect with AWS IoT for the first time to generate and acquire its unique certificate and private key.
Generate device certificate
The device gets shipped with firmware that has a claim certificate embedded in it. The device connects for the first time using the claim certificate, then it should request to generate a new device certificate from AWS IoT. This is achieved in the following order:
- Subscribe to create certificate response topics (accepted & rejected)
$aws/certificates/create/json/accepted$aws/certificates/create/json/rejected- Publish to create a topic with an empty payload
$aws/certificates/create/json- The response is received on either of the subscribed topics.
- On successfully creating the certificate, the response is received on the accepted topic and contains the following information.
- Certificate Id
- Certificate
- Private Key
- Certificate ownership token
- On failure, the response is received on the rejected topic and contains the following information
- status code
- error code
- error message
- After receiving the certificate the device should register itself as a thing.
Register as a thing
After obtaining the device certificate it is marked as pending activation by AWS IoT. Using the new certificate the should send a registration request to register itself as a thing in the AWS IoT registry. On successful registration, AWS IoT creates the cloud resources based on the provisioning template and then marks the certificate as active and the device appears as a thing on the dashboard. This is achieved in the following order:
Note: <template_name
- Subscribe to register thing response topics (accepted & rejected)
$aws/provisioning-templates/<template_name>/provision/json/accepted$aws/provisioning-templates/<template_name>/provision/json/rejected- Publish to register thing topic with parameters:
$aws/provisioning-templates/<template_name>/provision/json- Publish message parameters:
- Template name
- Certificate ownership token
- Template parameters:
- Serial number
- Certificate Id
- The response is received on either of the subscribed topics.
- On successful registration, the response is received on the accepted topic and contains the following information.
- device configuration (if any)
- thing name
- On failure, the response is received on the rejected topic and contains the following information
- status code
- error code
- error message
After successfully registering the device, the device should save the new certificate and disconnect. Then for the following new connections, it should use the new certificate. The claim certificate and private key would no longer exist on the device.