For this application note you need to have:
- OPTIGA™ Trust Personalisation Board, alternativly you can use an FTDI FT260 equiped board, such as FTDI FT260S/Q(TSSOP/WQFN) USB-to-I2C bridge. Note: This board isn't required if you use RPi
- OPTIGA™ Trust X or M
Issue a certificate from a self-signed CA within your AWS IoT Instance
- How to issue your own self-signed CA certificate with OpenSSL
- How to generate a Certificate Signing Request (CSR) with OPTIGA™ Trust and sign it with the CA
- How to register your new CA on your AWS IoT Instance
- How to generate an end-device certificate and write it back to one of available certificate slots on the device
Each OPTIGA™ Trust Secure Element has four certificate slots and four (six for the OPTIGA™ Trust M1) private key slots, each certificate slot can carry up-to 1728 bytes of data, which means each slot can hold a chain of X.509 certificates.
OPTIGA™ Trust X Objects Map
More about OPTIGA™ Trust X Objects Map, Access Conditions, Metadata of Objects you may find here
For available PKI options you can refer to the main document
The flow is following:
- Connect PC/Embedded Linux to an OPTIGA™ Trust sample
- Create a new Certification Authority with OpenSSL and a corresponding keypair
- Establish a secure communication channel with a Cloud Provider; e.g. login/password
- Register the CA certificate on you AWS Instance
- Generate a keypair on the chip and export the public key
- Construct a Certificate Signing request (CSR)
- Sign the CSR with the private key of the CA
- Write the certificate onto the OPTIGA™ Trust hardware in the corresponding to the private key generated at step (5)