This guide explains how to use pregenerated certificates for Foundries.io images in factory settings to speed up manufacturing test and device onboarding processes.
By establishing your own Public Key Infrastructure (PKI) and generating device certificates during manufacturing, you can:
- Eliminate the need for devices to access
api.foundries.ioduring manufacturing - Pre-provision devices with valid certificates before deployment
- Enable automatic device registration upon first boot
- Significantly reduce manufacturing test and onboarding time
See TIMING_ANALYSIS.md for detailed timing breakdown and optimization analysis.
Quick Summary (based on actual measured times):
- Current total time: 10-13.5 minutes per device
- Flash: 5 minutes
- Boot (until yellow LEDs): 2-5 minutes
- Registration: 30-120 seconds
- Testing: 2 minutes
- With pregenerated certificates: 9.5-13 minutes per device
- Registration eliminated (saves 25-115 seconds)
- Time saved: 25-115 seconds per device
- At scale: Save 1.67-2.5 hours per 100 devices
Use ./calculate-savings.sh to calculate time and cost savings for your batch sizes.
- Access to a FoundriesFactory
fioctltool installed and configured- Factory API token (
OSF-Token) - Secure storage for private keys (preferably PKCS#11 compatible HSM)
Generate your Factory's root CA using fioctl:
fioctl keys ca create /absolute/path/to/certs/This command generates:
factory_ca.pem- Root certificate (trust anchor)factory_ca.key- Root private key (store securely!)
Security Note: The root CA private key is critical. Store it securely, preferably using a PKCS#11 compatible Hardware Security Module (HSM).
You'll need to create intermediate CAs for device authentication. Foundries.io supports two types:
- Online CA: Managed by Foundries.io, used for devices registering via
lmp-device-register - Local CA: Managed by you, allows certificate generation during manufacturing without internet access
To add a Local Device CA:
fioctl keys ca add-device-ca /absolute/path/to/certs/ --local-caThis generates a local CA certificate and private key, signed by your root CA.
With your Local CA in place, you can generate client certificates for each device during the manufacturing process:
- Use your Local CA to sign client certificates for each device
- Each device should have a unique certificate
- Store the private keys securely on each device
This approach allows you to provision devices with valid certificates without needing internet connectivity during manufacturing.
After generating your certificates, upload them to configure your Factory's PKI:
# Set your factory name and token
export FACTORY="your-factory-name"
export TOKEN="your-osf-token"
# Prepare certificates (escape newlines for JSON)
ROOT_CA_CRT=$(cat factory_ca.pem | awk -v ORS='\\n' '1')
DEVICE_CA_CRT=$(cat device_ca_list.pem | awk -v ORS='\\n' '1')
TLS_CRT=$(cat tls.pem | awk -v ORS='\\n' '1')
# Upload to Foundries.io API
curl "https://api.foundries.io/ota/factories/${FACTORY}/certs/" \
-s -X PATCH \
-H "Content-Type: application/json" \
-H "OSF-Token: $TOKEN" \
-d '{
"root-crt": "'"${ROOT_CA_CRT}"'",
"tls-crt": "'"${TLS_CRT}"'",
"ca-crt": "'"${DEVICE_CA_CRT}"'"
}'During the manufacturing process:
- Embed certificates: Integrate the pre-generated client certificates into your device images
- Store private keys securely: Ensure device private keys are stored in secure storage (e.g., TPM, secure element)
- Configure auto-registration: Set up devices to use these certificates for automatic registration upon first boot
For enhanced control, you can deploy a Factory Registration Reference server within your manufacturing environment:
- Handles device authentication and registration locally
- Can be customized to fit your specific manufacturing requirements
- Allows devices to obtain valid client certificates without internet connectivity
This is particularly useful for air-gapped manufacturing environments.
- Faster Manufacturing: No need for devices to access Foundries.io during production
- Offline Capable: Can provision devices without internet connectivity
- Enhanced Security: Full control over your PKI and certificate lifecycle
- Streamlined Onboarding: Devices can authenticate immediately upon deployment
- Production Ready: Devices are ready to connect and operate without additional manual steps
- Secure Key Storage: Use HSMs or secure elements for storing root CA private keys
- Certificate Rotation: Regularly rotate certificates and keys as needed
- Access Control: Limit access to CA private keys to authorized personnel only
- Audit Logging: Maintain logs of certificate generation and device provisioning
- Secure Manufacturing: Ensure secure handling of certificates during manufacturing
For complete official documentation, see OFFICIAL_DOCS.md which contains all Foundries.io documentation links.
Key Official Documentation:
- Foundries.io Device Gateway PKI Documentation - Comprehensive reference manual
- Factory Registration Reference Implementation - Manufacturing process guide
- Device Gateway PKI User Guide - Step-by-step user guide
- Foundries.io Blog: Device Gateway PKI - Overview and benefits
- Set up your Factory PKI using
fioctl - Generate test certificates for a few devices
- Integrate certificate generation into your manufacturing workflow
- Test the end-to-end process with a small batch of devices
- Scale to full production once validated