fioctl keys ca create

Create PKI infrastructure to manage mutual TLS for the device gateway

Synopsis

Perform a one-time operation to set up PKI infrastructure for managing the device gateway. This command creates a few things:

### Root of trust for your factory: factory_ca.key / factory_ca.pem The factory_ca keypair is generated by this command to define the PKI root of trust for this factory.

  • factory_ca.key - An EC prime256v1 private key that should be STORED OFFLINE.
  • factory_ca.pem - The public x509 certificate that is shared with Foundries.io. Once set, all future PKI related changes will require proof you own this certificate.

### online-ca - A Foundries.io owned keypair to support lmp-device-register In order for lmp-device-register to work, Foundries.io needs the ability to sign client certificates for devices. If enabled, the factory_ca keypair will sign the certificate signing request returned from the API.

This is optional.

### local-ca - A keypair you own This keypair can be used for things like your manufacturing process where you may set up devices without having to communicate with Foundries.io web services. This keypair is capable of signing client certificates for devices. If enabled, the local-ca.pem will be shared with the Foundries.io device gateway so that it will trust the client certificate of devices signed with this keypair.

This is optional.

fioctl keys ca create <PKI Directory> [flags]

Options

-h, --help                     help for create
    --hsm-module string        Create key on an PKCS#11 compatible HSM using this module
    --hsm-pin string           The PKCS#11 PIN to set up on the HSM, if using one
    --hsm-token-label string   The label of the HSM token created for this (default "device-gateway-root")
    --local-ca                 Create a local CA that you can use for signing your own device certificates (default true)
    --online-ca                Create an online CA owned by Foundries that works with lmp-device-register (default true)

Options inherited from parent commands

-c, --config string    config file (default is $HOME/.config/fioctl.yaml)
-f, --factory string   Factory to list targets for
-t, --token string     API token from https://app.foundries.io/settings/tokens/
-v, --verbose          Print verbose logging

SEE ALSO

  • fioctl keys ca - Manage Public Key Infrastructure for your device gateway