Skip to main content

Secure Device Provisioning at Manufacturing Scale

Every device that connects to your cloud needs a unique identity: an X.509 certificate, a key pair, or a set of credentials that proves it is the specific device it claims to be. Device provisioning is the process of generating and delivering that identity: during manufacturing, before the device ships, or remotely after it has been deployed.

danger

Poor device identity management is the single largest security vulnerability in an IoT product: a compromised credential can expose every device that shares it.

The challenge with device provisioning

Most teams start with the simplest possible approach: a shared secret or a hardcoded credential embedded in firmware. This works for a prototype. It fails at scale for several reasons:

  • Shared credentials mean shared risk: if one device is compromised, every device with the same credential is exposed.
  • Manual processes don't scale: generating certificates in spreadsheets and writing them to devices via USB works for small batches; it doesn't survive production volumes.
  • Manufacturing line integration: the provisioning step must fit into the existing production line flow, a process that technicians on the factory floor can run reliably without access to cloud tooling.
  • Field-deployed devices: devices already in the field with temporary or insecure credentials need a mechanism to securely obtain their permanent identity without a factory recall.
  • Certificate rotation and expiry: X.509 certificates have lifetimes; a production system needs a plan for renewal before expiry causes a fleet-wide outage.
  • Audit trails: regulators and enterprise customers increasingly require documentation of when each device was provisioned and with what credential.

What it takes to get it right

A proper provisioning system operates in two phases:

Manufacturing-time certificate provisioning: during production, each device receives a unique device identity (an X.509 certificate signed by your CA) along with its initial configuration. This manufacturing enrollment step must integrate with your production line tooling, run fast enough not to bottleneck assembly, and produce an audit record for every device provisioned.

Remote initialization: for devices already in the field with temporary credentials (or with no credentials at all), a secure bootstrap process allows the device to prove its identity via a one-time token and receive its permanent X.509 certificate over an encrypted channel. This eliminates the need for factory recalls to update credentials on deployed hardware.

Both phases require: a certificate authority (or integration with an existing one), a certificate enrollment API, a device-side client that handles the protocol, and a back-office audit log.

How Connhex solves it

Connhex provides two purpose-built services for device provisioning:

Connhex Manufacturing handles manufacturing-time enrollment. During the production step, your line tooling calls the Connhex API (or uses the open-source CLI) to register each device, generate its certificate, and write the credentials to the device. The process takes seconds per unit and produces a complete audit trail. No manual steps, no spreadsheets.

Connhex Provisioning manages the cloud-side certificate lifecycle: issuance, storage, and expiry tracking.

Connhex Remote Init handles the field deployment case. A device with a temporary token initiates a secure handshake, the Connhex backend validates the token, and the device receives its permanent X.509 certificate over an encrypted channel, without any human intervention, and without a factory recall.

Both services are modular: if you already have a cloud infrastructure, you can integrate only Provisioning and Remote Init, leaving everything else unchanged. This is exactly how Seitron deployed them.

The provisioning infrastructure also directly satisfies the EU Cyber Resilience Act requirement for unique device identities and secure-by-design architecture.

See it in practice

In the software world, we tend to use the word modularity too often: in this case, it was more than appropriate. It was nothing but modularity that allowed us such a fast integration of a critical service.

Stefano Vardanega
Stefano Vardanega

Senior Software Engineer - Seitron

Seitron, an Italian manufacturer of wireless thermostats and thermoregulation systems, integrated Connhex Provisioning and Remote Init into their existing cloud infrastructure. See the full story: Adding Connhex Provisioning to an existing cloud infrastructure.

Provisioning is relevant across every vertical where Connhex is used: Connhex for HVAC · Connhex for Vending Machines · Connhex for the Smart Home

Read the technical docs

Every device, a unique identity.Automate certificate provisioning from the production line to the field.
Explore plans