Energetika-VDS Request a Quote

Research

Secure Provisioning for IoT Device Manufacturing

Published 2026-03-26

X.509, secure elements, AWS DPS, Azure DPS, and the production-side workflow that makes them work.

Summary

  • Secure provisioning gives every device a unique identity at first power-on.
  • Secure elements (ATECC608, NXP EdgeLock) hold private keys that never leave the chip.
  • AWS IoT, Azure DPS, and custom PKI all support production-side enrollment.
  • The production line is where this either works correctly or creates field failures.

Why secure provisioning belongs in production

A connected device that ships without identity has to be provisioned in the field. Field provisioning means a manual step (or a vulnerable auto-enrollment) at install time. Both create operational pain and security exposure.

Production-side provisioning gives the device a unique cryptographic identity before it ships. The device boots, authenticates, and enrolls without manual intervention.

Secure elements

Microchip ATECC608 and NXP EdgeLock are common secure elements for IoT. Both support:

  • ECC private key generation inside the chip (key never leaves)
  • Certificate signing and verification
  • Counter-based replay protection
  • Tamper-evident behavior

The production line generates a key inside the secure element, signs a certificate against the root CA, writes the certificate to the device, and logs the public key against the serial.

X.509 certificate enrollment

X.509 is the standard certificate format. Production-side enrollment typically follows this pattern:

  1. Secure element generates ECC key pair (private key locked in chip)
  2. Production system reads public key
  3. Production system signs certificate using HSM-backed root CA
  4. Certificate written back to device
  5. Public key and certificate fingerprint logged against serial

The root CA private key never touches the production line. It lives in an HSM in a controlled environment.

AWS IoT and Azure DPS

AWS IoT supports Just-in-Time Provisioning (JITP) and Multi-Account Registration. Azure Device Provisioning Service (DPS) supports X.509 attestation, Trusted Platform Module (TPM) attestation, and symmetric key attestation.

Both let the production line preregister devices so they enroll automatically at first cloud connection. The production-side workflow:

  1. Device provisioned with X.509 certificate
  2. Device certificate fingerprint registered with cloud DPS
  3. Device boots in field, presents certificate, enrolls automatically
  4. Cloud assigns device to correct group, downloads configuration

Custom PKI follows the same pattern with internal infrastructure instead of AWS or Azure.

Production-side workflow that works

  • HSM-backed root CA in a controlled environment, accessed through signing API
  • Per-unit key generation inside secure element on the line
  • Certificate signing through API call (no key material exposed)
  • Cloud DPS preregistration as part of provisioning step
  • Per-unit enrollment record logged in production database
  • Optional revocation list management for end-of-life or lost devices

Common pitfalls

  • Root CA private key stored on the production line (not in HSM)
  • Same key burned into multiple devices ("test mode that shipped")
  • Certificate fingerprint logged but not preregistered with cloud DPS
  • Provisioning workflow done by hand on a few units, never scaled

Sources

  • AWS IoT Just-in-Time Provisioning documentation
  • Microsoft Azure Device Provisioning Service documentation
  • Microchip ATECC608 secure element documentation
  • NXP EdgeLock secure element documentation

Quote programmed and tested units

If this research matches your product situation, send files and we will scope production.

Request a Quote View Capabilities