Documentation

Mistake on this page? Email us

Device credentials

To be able to connect to Device Management and make use of the Connect and Update functionalities, a device must have two sets of credentials:

In this section, we are focusing on the device credentials (identity certificate and private key) used to connect to the bootstrap or LwM2M servers.

Which credentials your device is going to use and how you can get them is going to be highly influenced by the answers to these three questions:

  • Do you want your device to use bootstrap flow or direct LwM2M registration?
  • Do you need development or production credentials?
  • Do you want to use your own certificate authority to generate the device credentials, or use the factory configurator utility (FCU)?

Bootstrap flow or direct LwM2M registration

As explained in the Device onboarding section, Device Management provides two ways to onboard a device:

  • Using bootstrap (preferred option): The device can fall back to the bootstrap flow to renew its LwM2M credentials if they expire or become invalid.
  • Using direct Device Management LwM2M server credentials (only available for commercial accounts): The device cannot fall back to bootstrap. There are also limitations on certificate renewing and connectivity maintenance.

The two options support different scenarios:

Flow Development Production Own CA FCU CA
Bootstrap [x] [x] [x] [x]
Direct LwM2M [x] [x] [x]

Development or production credentials

When provisioning devices for Device Management, Device Management supports two kinds of credentials:

  • Developer mode: Based on a developer certificate, which can support up to 100 devices. With this option, you don't need to go through a full factory process every time you want to test your devices. The full explanation is in the Provision section.

  • Production credentials: You must use a full factory flow to provide your devices with proper production credentials. See the Provision section for more information.

The two options support different scenarios:

Credentials Bootstrap Direct LwM2M Own CA FCU CA
Development credentials [x]
Production credentials [x] [x] [x] [x]

Own certificate authority or FCU CA for device credential generation

When your devices connect to Device Management, they use a certificate to prove that they are linked to your Pelion account. That certificate is generated by a certificate authority (CA). Device Management offers a CA (as part of FCU), but also supports using an existing (third party) CA. You can read more about it in the Provision section.

The two options support different scenarios:

CA Bootstrap Direct LwM2M Development Production
Own certificate authority [x] [x] [x]
FCU as certificate authority [x] [x] [x]

Note that when using your own certificates in the bootstrap mode:

  • It is your responsibility to ensure that they include the right parameters and correct format. If your certificate is incorrect, Device Management Client will not be able to connect to Device Management, and you will receive the error MbedCloudClient::ConnectInvalidParameters.

    The mandatory parameters and their correct format are in the Provision section.

  • Device certificates should have an unlimited lifetime (or a very long lifetime, for example 30 years). This is because the client assumes that it will always be able to securely access the bootstrap server, without worrying about expiring device bootstrap certificates.