AN1386: Bluetooth Mesh Certificate-Based Provisioning
Creating Example Certificate Authority and Device Certificate
silabs.com | Building a more connected world. Rev. 0.1 | 6
3 Creating Example Certificate Authority and Device Certificate
This section describes how to create an example certificate authority and device certificate. The method described here is only in-
tended for evaluation and should not be used in a production environment. For production, users are encouraged to obtain root
certificates from a qualified certificate authority (CA). Users are strongly discouraged from acting as their own CA.
Certificate-Based Provisioning, as its name suggests, relies on certificates. Each device that participates in Certificate-Based provisioning
must be preprogrammed with a:
• private key, which can be used to prove the identity of the device.
Note: It is critical that the device private signing key be stored securely.
• One of the following:
• Corresponding device certificate, which holds the identity of the device (including the public key of the device), optionally
with one or more intermediate certificates
• URI pointing to a server where the device certificate can be downloaded
Additionally, the provisioner must know which are the trusted devices. Therefore, the provisioner must be preprogrammed with the root
certificate(s) used to create the certificate chain of any device to be provisioned with a Certificate Authority (CA) Certificate, which can
be used to validate any certificate that belongs to a trusted device.
Putting this into practice, the following steps must be done before Certificate-Based Provisioning can be applied:
1. A CA Certificate must be created (with self-signing) along with a CA private key that will be used to sign all the device certificates.
This is done on a computer. Note that the private key must be securely stored, preferably in a hardware security module (HSM). At
a minimum, the private key must not leave this machine.
2. Each device must generate a private key. These private keys must be generated on the devices, and they must not leave the devices.
3. Each device must generate its device certificate signing request, which holds its public key (generated from its private key) and the
credentials.
4. Each device must get its device certificate signing request signed by the CA. To do this, the certificate signing request must be
transmitted to the central machine (this can be done via UART), and the signed certificate must be transmitted back to the device.
5. The CA certificate must be stored on the provisioner so that it can validate the device certificates of the provisionee devices.
Because this process is not easy to implement, Silicon Labs provides sample applications that do all the required steps.
• The Bluetooth Mesh - SoC CSR Generator sample app generates the private key and the device certificate signing request on the
device. It can also be used to connect to the certificate authority and send over the device certificate signing request to be signed.
• The create_authority_certificate.py (CA) Python script can be used to generate the CA certificate along with the private key. It also
creates a header file with the CA certificate that can be stored on the devices.
• The production_line_tool.py (PLT) Python script can be used for reading out the device certificate signing requests (CSRs) from
the requesting devices, signing the CSRs with the CA private key, and flashing them back to the device.
Note: the private key used by this script is visible in plain text, therefore this tool is not to be used in a secure production environment,
a hardware security module (HSM) must be used instead.
The Python scripts can be found in the following folder: {SDK_folder}/app/bluetooth/script/certificate_authorities.