Skip to content
locilab

ON-DEVICE ·

Implementing X.509 device identity in Zephyr

A walk through how we ship per-device X.509 identity on a Zephyr-based product, from factory provisioning to TLS mutual auth — and what we had to unlearn along the way.

PLACEHOLDER · Layout article — content is lorem ipsum, not real technical claims.

PLACEHOLDER — this article is lorem ipsum. The layout and code-block rendering are real; the technical claims below are not. Replace with real content before launch.

Why per-device identity matters

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. A product that authenticates every device by a shared bearer token is one leaked firmware image away from a full fleet compromise. Per-device X.509 is the floor for any connected-device program that expects to ship, update, and audit at scale.

The provisioning problem

Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. The private key has to be generated in a place you trust, signed by a CA you control, and planted in hardware in a way that survives the rest of the factory.

What the datasheet doesn't tell you

Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore. Excepteur sint occaecat cupidatat non proident.

// Excerpt: enrollment payload — CSR is generated on-device, never leaves.
static int generate_device_csr(mbedtls_pk_context *key, uint8_t *out, size_t *olen)
{
    mbedtls_x509write_csr req;
    mbedtls_x509write_csr_init(&req);
    mbedtls_x509write_csr_set_md_alg(&req, MBEDTLS_MD_SHA256);
    mbedtls_x509write_csr_set_subject_name(&req, "CN=device,O=loci-lab");
    mbedtls_x509write_csr_set_key(&req, key);
    int ret = mbedtls_x509write_csr_der(&req, out, *olen, ...);
    mbedtls_x509write_csr_free(&req);
    return ret;
}

Rotating, without downtime

Sunt in culpa qui officia deserunt mollit anim id est laborum. The CA you sign against today will not be the CA you sign against in five years, and fleets in the field will not stop to help you migrate.

  • A clear renewal window, measured against the device's clock, not yours.
  • An overlap period where the previous chain still verifies.
  • A failure mode that is loud and recoverable, never silent.

Where this goes next

Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit. We will cover the attestation layer — binding the CSR to a hardware root of trust — in the next field note.

References (placeholder). RFC 5280, RFC 8446. Silicon vendor app notes intentionally omitted pending publication.

← All field notesStart a conversation →