fioctl keys ca add-device-ca

Add device CA to the list of CAs allowed to issue device client certificates


Add device CA to the list of CAs allowed to issue device client certificates.

This command can add one or both of the following certificates:

### online-ca - A owned keypair to support lmp-device-register. In order for lmp-device-register to work, needs the ability to sign client certificates for devices. If enabled, the factory_ca keypair will sign the certificate signing request returned from the API. If the online-ca was already created earlier, a new online-ca will replace it for the registration process. Still, the previous online-ca will be present in a list of device CAs trusted by the device gateway, so that devices with client certificates issued by it may continue to connect to services.

### local-ca - A keypair you own that can be used for things like your manufacturing process, where you may generate device client certificates without having to communicate with web services. You can create as many local-ca files as you need, and use each of them to generate device client certificates. All such CAs will be added to the list of device CAs trusted by the device gateway.

fioctl keys ca add-device-ca <PKI Directory> [flags]


-h, --help                       help for add-device-ca
    --hsm-module string          Load a root CA key from a PKCS#11 compatible HSM using this module
    --hsm-pin string             The PKCS#11 PIN to log into the HSM
    --hsm-token-label string     The label of the HSM token containing the root CA key
    --local-ca                   Create a local CA that you can use for signing your own device certificates
    --local-ca-filename string   A file name of the local CA (only needed if the local-ca.pem file already exists) (default "local-ca.pem")
    --online-ca                  Create an online CA owned by that works with lmp-device-register

Options inherited from parent commands

-c, --config string    config file (default is $HOME/.config/fioctl.yaml)
-f, --factory string   Factory to list targets for
-t, --token string     API token from
-v, --verbose          Print verbose logging


  • fioctl keys ca - Manage Public Key Infrastructure for your device gateway