0

I've been looking around for a clear answer on how to store certificates and/or private keys on a Raspberry Pi for end user distribution. All of the tutorials I have followed so far have you generate the private keys and certificates from the IoT Console, and place them into your device. From there, you can perform secure communication to AWS IoT. But what I don't understand is how would you bootstrap your device for basic communication if you were to begin distributing your "thing smart hub" to end users? Do you preload the device with some basic credentials that allow you to then pair the device with a user account, e.g. a basic credential that allows the thing to at least publish a pairing number every few seconds? Does this pose a potential security threat if someone is somehow able to retrieve this credential for malicious attacks? Or is there a better design pattern?

user985030
  • 1,557
  • 1
  • 16
  • 32
  • Create your own certificate authority to issue each device its own cert, then use [Just in Time](http://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html#auto-register-device-cert) registration. – teppic Jan 22 '17 at 06:33
  • So you are saying to create your own certificate authority instead of the one that is provided by symantec? – user985030 Jan 22 '17 at 06:36
  • It's not a replacement for the server cert, just the client. [Details](http://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html)... note the part where it says _You should use the AWS IoT root CA certificate when connecting to AWS IoT even if you register your own root CA certificate. The AWS IoT root CA certificate is used by a device to verify the identity of the AWS IoT servers._ – teppic Jan 22 '17 at 06:53
  • *"for end user distribution"* ... What are you actually delivering (distributing) to each end user? Is it a preconfigured, individualized SD card (or image), or a generic one that has no identity and needs to be registered with your service? – Michael - sqlbot Jan 22 '17 at 16:06
  • @Michael-sqlbot I'd be delivering a smart hub that the end user would then need to associate to their account. – user985030 Jan 22 '17 at 16:15
  • The "smart hub" is the "thing" from IoT's perspective? – Michael - sqlbot Jan 22 '17 at 16:30
  • Yes that is correct. The smart hub would be a raspberry pi or intel edition with a bunch of sensors and micro controllers attached. Each one of those devices could either be controlled from the web interface or directly via physical access. – user985030 Jan 22 '17 at 16:41

0 Answers0