https://devzone.nordicsemi.com/f/nordic-q-a/71625/certificate-renewalHi, I dont know if this is the right forum to ask, but is there any common solution for certificate renewal? For example If I use azure iot hub, I will provision the digicertroot cert (valid until 2038) and a client certificate (valid until XXXen-USTelligent Community 13Mon, 15 Feb 2021 13:33:48 GMThttps://devzone.nordicsemi.com/thread/294400?ContentTypeID=1Mon, 15 Feb 2021 13:33:48 GMT137ad170-7792-4731-bb38-c0d22fbe4515:c44cc040-6bb0-45e4-8654-8bf005e75bd3Markus Tacker (he/him)<p>In general it is not harmful to provision devices with long-lasting certificates. In general it should be avoided to rotate certificates in production, since this introduces the risk of bricking devices in the field. Especially as long as key pairs are not generated on the device is the private key transmitted over the air, which adds an additional attack scenario.<br /><br /> There might be another issue, where the endpoint is not guaranteed to exist after years on the shelf. For this scenarios it is advisable to use a bootstrap server (a server that allows factory provisioned devices to connect to and then sends the production keypair and the endpoint to the device). This model is implemented in Azure with the DPS (<a href="https://docs.microsoft.com/en-us/azure/iot-dps/">Device Provisioning Service</a>). AWS does not have a specific solution for this.</p> <p>Bootstrapping can also be used for key rotation, but again introduces the possibility of private keys being intercepted.</p><div style="clear:both;"></div>