How to embed AWS Just In Time Provisioning (JITP) into your microcontroller (running Freertos)

Question

I'm trying to get an application running in amazon freertos that uses the just in time provisioning mechanism to allow provisioning of a fleet of devices.

I have run through the steps to set up a demo application in freertos for an Espressif ESP32 device. This works fine, but it involves effectively manually copying in your credentials directly into the source code, in one of the scripts you run. Good proof of concept, but no good for production.

I have separately run through the process of setting up JITP in the AWS backend. The last step is to manually invoke mosquitto from bash to send up a fake message, mimicking an MQTT transmission from a device.

This has the effect of correctly provisioning a device.

My question is how do I take these building blocks and build multiple hardware devices and have them all provision and connect successfully to AWS IOT.

Some specific points: 1. What files go into the device firmware? I confess a lack of expertise in the crypto and certificates side. My guess would be I need to put root.cert; deviceVertAndCACert.crt; deviceCert.key into the device and ping the MQTT request exactly as per the fake message. But how does this vary for multiple devices? What distinguishes one device from another?

2. I assume the actual code in the hardware device is the same for all devices. Is this assumption valid?

3. If I succeed in provisioning a large number of devices, how do I handle the incoming data stream in AWS IOT. I would envisage invoking a rule to handle the incoming messages.

Mosquitto fake message:

$ mosquitto_pub --cafile root.cert --cert deviceCertAndCACert.crt --key deviceCert.key -h <prefix>.iot.us-east-1.amazonaws.com -p 8883 -q 1 -t foo/bar -I anyclientID --tls-version tlsv1.2 -m "Hello" -d

Answer 1

1. You are correct, you need your CA certificate that has the template attached to it from JITP, your device certificate, and your private key. For device certificate & private key, these should be unique per device, and should be placed on the device once (via running the provisioning demo or via a direct write to the file names expected in iot_pkcs11_pal.c at manufacturing time)

For the CA "JITP/JITR Certificate", you have 2 options- you can either modify the iot_pkcs11_pal.c to take in this certificate and store it, or if JITR certifciate is the same between all devices, you can just leave the #define keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM in the code.

With multiple devices, one more thing to consider is the Thing Name- you can use a field of the device certificate to communicate your "Thing Name" to AWS IoT, for example the device certificate CommonName field. The #define clientcredentialIOT_THING_NAME can be replaced with a function (ie getThingName()) which parses the certificate and stores the thing name somewhere that other libraries can refer to it. Thing Name should be unique per device- some people use a device unique ID for Thing Names.

When the device connects with a CA set up with JITP, since each device certificate is unique, it can create a different thing (and register the device certificate and attach a policy) for each different device.

2. Yes this is valid given that you place the device certificate & private key at manufacturing and programatically retrieve your thing name as mentioned above.

3. Once your device is registered with AWS IoT and able to connect and send MQTT messages, you could use AWS IoT Rules to set up rules for what to do with data coming in (This tutorial shows adding data from MQTT messages to DynamoDB, triggering a Lambda Function to execute code that you write, or sending an SNS message)