How to set AWS IoT certificates in runtime

Hi team,

I am building AWS IoT client based on NRF52833 + Ethernet Controller.

I have done connecting and subscribing/publishing to AWS IoT broker successfully, and now I am trying to find a way for provisioning each device properly.

In AWS IoT library, AWS IoT certificates are statically built into application binary, and seems there is no consideration for runtime changing or reading from NV, etc.

How can I change device certificates for AWS IoT client in runtime?

Is there any proper mechanism for this?

And, Is there any plan for supporting AWS IoT Fleet Provisioning (Online Provisioning) in future nRFConnect SDK?

  • And, Is there any plan for supporting AWS IoT Fleet Provisioning (Online Provisioning) in future nRFConnect SDK?

    WE do not talk about roadmaps and timelines here in devzone. Please ask your RSM about this. I have requested an RSM from your place to reach you out soon regarding this.

    How can I change device certificates for AWS IoT client in runtime?

    It does not look like we support this. For now it looks like static certificates only. I will let you know if the developers have anymore insight than this.

  • For the certificate change, I made some quick dirty workaround on aws-certs.h

    //static const unsigned char ca_certificate[] = {
    unsigned char ca_certificate[2048] = {
    ...
    //static const unsigned char private_key[] = {
    unsigned char private_key[2048] = {
    ...
    //static const unsigned char device_certificate[] = {
    unsigned char device_certificate[2048] = {
    ...

    With this workaround, I can access these variables in my application code.

    extern unsigned char ca_certificate[2048];
    extern unsigned char private_key[2048];
    extern unsigned char device_certificate[2048];
    

    Is there any better way? Or can you suggest how I can access these variable without modifying NCS codes?

  • choehyunho said:
    Is there any better way? Or can you suggest how I can access these variable without modifying NCS codes?

    Not that I know of, but I can ask my colleague just to be sure.

  • It may be more practical, not just for sample, if runtime certificate loading is possible.

    Hope some knit & clean way provided in the future NCS release.

  • My Colleague who have some experience in this thinks it can be done. Suggestion from him is below .

    "

    Okay, so the library can actually handle the loading of the credentials for you. As you have already found out, it does that by writing the contents of some buffers it assumes exists in aws-certs.h (you can change the name of the file with a Kconfig option). So the user can define those buffers in a way that makes the application capable of changing their contents. The content of the buffers are loaded each time the application calls aws_iot_connect()

    The other option is what I thought you had to do, which is to load the credentials yourself (in the application), before you call aws_iot_connect(). This approach gives more flexibility, but you will have to do all the credential handling yourself

    "

Related