Zero Touch Provisioning


Zero Touch provisioning is an automatic and secure way to onboard devices in any IoT cloud platform that uses X.509  authentication technology.

Zero Touch Provisioning (ZTP) supports X. 509 standard as the format of public-key certificates and so any platform supporting it, is compatible with this service. Amazon Web Services (AWS), Microsoft Azure and Alibaba cloud are some example platforms fully supported by ZTP.

The solution provides an out-of-the-box, simple and cost effective way to provision over-the air and  securely digital certificates and private key in the device, thus significantly minimizing the operational burden and simplifying the supply chain and connection to the IoT platform.

Zero Touch Provisioning feature includes also the availability of several trusted Root CA certificates to support all your use cases.

Following are the steps in ZTP cloud onboarding procedure:

In this section we will explain these steps in more detail.

IoT platform registration

This step has the goal to register in the IoT platform the Root CA certificate used to sign all the device certificates. The registration is a prerequisite to automate the onboarding of the device in the IoT platform, avoiding the need to create each single device manually and attach the digital certificate to it.

The operation take place only once for the entire set of devices that use the same RooT CA certificate.  When uploading the Root CA certificate in the IoT platform to enable automatic onboarding, you will be provided with a registration code to prove the possession of corresponding private key.  This code will be used to generate a Proof of Possession (PoP) certificate signed with the private key.  In the diagrams bellow AWS is mentioned as the example of a platform supporting X.509 standard. PoP certificate generation is fully automated.

Please note that ISEP and CSP are two components of u-blox Thingstream platforms.

Certificate provisioning

This step is about the generation, signature and provisioning of the digital certificate in device . These operations, usually done in the production line, are now (with ZTP) completely automated and  triggered by the module when it connects to ISEP for the first time in its life cycle.

Just in time provisioning

This step is about the first registration of the device in the IoT platform with the certificate previously provisioned.  This operation allows the IoT platform to  authenticate the device and create it in the platform as a valid device with its own digital certificate so that at every subsequent connection the device already exists and only the  authentication is required

Device registration

Operation triggered every time the module requests an IoT Service.

AT Commands

ZTP feature involves 4 different parameters to be used in AT command +USECDEVCERT Command:

returns 0 if CaCertificate, DeviceCertificate and PrivateKey are present in RoT

Returns the CACertificate

Returns the DeviceCertificate

Returns the PrivateKey

For more information on the response time is provided in AT command manual. (You can search the “AT command manual” for +USECCONN)


The Zero Touch Provisioning feature is available from the following FW version an subsequent releases:

Other features

You might be interested also in