How to set AWS IoT certificates in runtime

Hi team,

I am building AWS IoT client based on NRF52833 + Ethernet Controller.

I have done connecting and subscribing/publishing to AWS IoT broker successfully, and now I am trying to find a way for provisioning each device properly.

In AWS IoT library, AWS IoT certificates are statically built into application binary, and seems there is no consideration for runtime changing or reading from NV, etc.

How can I change device certificates for AWS IoT client in runtime?

Is there any proper mechanism for this?

And, Is there any plan for supporting AWS IoT Fleet Provisioning (Online Provisioning) in future nRFConnect SDK?

Parents
  • My Colleague who have some experience in this thinks it can be done. Suggestion from him is below .

    "

    Okay, so the library can actually handle the loading of the credentials for you. As you have already found out, it does that by writing the contents of some buffers it assumes exists in aws-certs.h (you can change the name of the file with a Kconfig option). So the user can define those buffers in a way that makes the application capable of changing their contents. The content of the buffers are loaded each time the application calls aws_iot_connect()

    The other option is what I thought you had to do, which is to load the credentials yourself (in the application), before you call aws_iot_connect(). This approach gives more flexibility, but you will have to do all the credential handling yourself

    "

Reply
  • My Colleague who have some experience in this thinks it can be done. Suggestion from him is below .

    "

    Okay, so the library can actually handle the loading of the credentials for you. As you have already found out, it does that by writing the contents of some buffers it assumes exists in aws-certs.h (you can change the name of the file with a Kconfig option). So the user can define those buffers in a way that makes the application capable of changing their contents. The content of the buffers are loaded each time the application calls aws_iot_connect()

    The other option is what I thought you had to do, which is to load the credentials yourself (in the application), before you call aws_iot_connect(). This approach gives more flexibility, but you will have to do all the credential handling yourself

    "

Children
  • Oh, thanks.

    I added the following line in my prj.conf

    CONFIG_AWS_IOT_CERTIFICATES_FILE="aws-certs.h"
    

    checked the following line in my CMakeLists.txt

    zephyr_include_directories_ifdef(CONFIG_AWS_IOT_PROVISION_CERTIFICATES certs)
    

    and put my own aws-certs.h in cert folder.

    It is because my firmware will include claim certificates by default for initial connection, and load/save from NVS if needed.

    Basically the combined approach you suggested.

    Now I can use all my features without nasty modification. Thank you!

Related