Zero Touch Provisioning
Overview
Zero Touch provisioning is an automatic and secure way to onboard devices in any IoT cloud platform that uses X.509 authentication technology.
Zero Touch Provisioning (ZTP) supports X. 509 standard as the format of public-key certificates and so any platform supporting it, is compatible with this service. Amazon Web Services (AWS), Microsoft Azure and Alibaba cloud are some example platforms fully supported by ZTP.
The solution provides an out-of-the-box, simple and cost effective way to provision over-the air and securely digital certificates and private key in the device, thus significantly minimizing the operational burden and simplifying the supply chain and connection to the IoT platform.
Zero Touch Provisioning feature includes also the availability of several trusted Root CA certificates to support all your use cases.
Following are the steps in ZTP cloud onboarding procedure:
IoT platform registration
Certificate provisioning
Device registration
In this section we will explain these steps in more detail.
IoT platform registration
This step has the goal to register in the IoT platform the Root CA certificate used to sign all the device certificates. The registration is a prerequisite to automate the onboarding of the device in the IoT platform, avoiding the need to create each single device manually and attach the digital certificate to it.
The operation take place only once for the entire set of devices that use the same RooT CA certificate. When uploading the Root CA certificate in the IoT platform to enable automatic onboarding, you will be provided with a registration code to prove the possession of corresponding private key. This code will be used to generate a Proof of Possession (PoP) certificate signed with the private key. In the diagrams bellow AWS is mentioned as the example of a platform supporting X.509 standard. PoP certificate generation is fully automated.
Please note that ISEP and CSP are two components of u-blox Thingstream platforms.
In this section
Related Information
Security Services API documentation
Still need help?
If you need more help or have any questions, please send an email to services-support@u-blox.com.
Certificate provisioning
This step is about the generation, signature and provisioning of the digital certificate in device . These operations, usually done in the production line, are now (with ZTP) completely automated and triggered by the module when it connects to ISEP for the first time in its life cycle.
Just in time provisioning
This step is about the first registration of the device in the IoT platform with the certificate previously provisioned. This operation allows the IoT platform to authenticate the device and create it in the platform as a valid device with its own digital certificate so that at every subsequent connection the device already exists and only the authentication is required
Device registration
Operation triggered every time the module requests an IoT Service.
AT Commands
ZTP feature involves 4 different parameters to be used in AT command +USECDEVCERT Command:
Check provisioning: +USECDEVCERT=0
returns 0 if CaCertificate, DeviceCertificate and PrivateKey are present in RoT
Get CA Certificate: +USECDEVCERT=1
Returns the CACertificate
Get Device Certificate: +USECDEVCERT=2
Returns the DeviceCertificate
Get Private Key: +USECDEVCERT=3
Returns the PrivateKey
For more information on the response time is provided in AT command manual. (You can search the “AT command manual” for +USECCONN)
Availability
The Zero Touch Provisioning feature is available from the following FW version an subsequent releases:
SARA-R500S-00B-00
SARA-R510S-00B-00
SARA-R510M8S-00B-00
ALEX-R510M8S-01B-00