fioctl keys ca create

Create PKI infrastructure to manage mutual TLS for the device gateway


Perform a one-time operation to set up PKI infrastructure for managing the device gateway. Caution: this can only be done once. This command creates a few things:

### Root of trust for your factory: factory_ca.key / factory_ca.pem The factory_ca keypair is generated by this command to define the PKI root of trust for this factory.

  • factory_ca.key - An EC prime256v1 private key that should be STORED OFFLINE.
  • factory_ca.pem - The public x509 certificate that is shared with Once set, all future PKI related changes will require proof you own this certificate.

### online-ca - A owned keypair to support lmp-device-register In order for lmp-device-register to work, needs the ability to sign client certificates for devices. If enabled, the factory_ca keypair will sign the certificate signing request returned from the API.

This is optional.

### local-ca - A keypair you own This keypair can be used for things like your manufacturing process where you may set up devices without having to communicate with web services. This keypair is capable of signing client certificates for devices. If enabled, the local-ca.pem will be shared with the device gateway so that it will trust the client certificate of devices signed with this keypair.

This is optional.

fioctl keys ca create <PKI Directory> [flags]


-h, --help                     help for create
    --hsm-module string        Create a root CA key on a PKCS#11 compatible HSM using this module
    --hsm-pin string           The PKCS#11 PIN to log into the HSM
    --hsm-token-label string   The label of the HSM token created for the root CA key
    --local-ca                 Create a local CA that you can use for signing your own device certificates (default true)
    --online-ca                Create an online CA owned by Foundries that works with lmp-device-register (default true)

Options inherited from parent commands

-c, --config string    config file (default is $HOME/.config/fioctl.yaml)
-f, --factory string   Factory to list targets for
-t, --token string     API token from
-v, --verbose          Print verbose logging


  • fioctl keys ca - Manage Public Key Infrastructure for your device gateway