UNECE WP.29/R155 · ISO/SAE 21434

Automotive Key Provisioner

Factory-floor device provisioning: each vehicle receives a unique cryptographic identity injected securely over mutual TLS — before leaving the production line.

Python · FastAPI mTLS 1.3 secp256r1 Factory PKI SQLite Audit Docker
02 / 07
Problem

Assembly-line devices need a unique identity

Connected vehicles require a strong private key + certificate for cloud and zero-trust operations. Provisioning must be secure, auditable, and automatable.

Plaintext keys

Keys sent unencrypted over the factory LAN can be intercepted on the wire.

Rogue devices

Unauthorized endpoints could request identities without bootstrap trust.

No audit trail

Without durable logs, compliance and incident response are weak.

Goal

Only legitimate factory devices receive a permanent identity. Keys never travel in the clear. Every provisioning event is logged.

03 / 07
Trust hierarchy

Localized factory PKI

Root CA (offline trust anchor)

Factory CA (signs production certs)

Server cert · Bootstrap cert · Device cert (per VIN)

Bootstrap cert is pre-installed on hardware. Factory CA issues the permanent device identity at provisioning time.

04 / 07
Provisioning flow

mTLS tunnel → key injection

01

TLS ClientHello + bootstrap cert

Device presents Factory CA–signed bootstrap identity.

02

Server validates chain to Root CA

Mutual TLS 1.3 tunnel established (AES-GCM).

03

POST /provision { VIN }

Server generates secp256r1 keypair, signs device cert with Factory CA.

04

Deliver over TLS only

Private key + cert returned inside tunnel; server zeroes key from RAM.

05

Device enclave storage

Client writes to certs/device_enclave/ with chmod 400. Audit log updated.

05 / 07
Security model

Threat mitigations

ThreatMitigation
Network sniffingKey material only inside mutually authenticated TLS 1.3
Rogue deviceServer requires valid bootstrap cert chaining to Root CA
Insider / server compromiseServer deletes device private key after delivery; SQLite audit log

Tests

Chain validation · mTLS negative (no client cert rejected) · injected key signs and verifies.

Phases

CA setup → mTLS server → key injection → audit DB + Docker deployment.

06 / 07
Quick start

Run the factory pipeline

python3 ca/scripts/setup_ca.py

python3 -m uvicorn server.factory_server:app --host 0.0.0.0 --port 8443 \
  --ssl-keyfile certs/server/server.key --ssl-certfile certs/server/server.crt \
  --ssl-cert-reqs 2 --ssl-ca-certs ca/root_ca/ca.crt

python3 -m client.device_client VIN12345 --url https://localhost:8443
# → certs/device_enclave/VIN12345.key + VIN12345.crt (chmod 400)

Proof-of-concept — local PKI in place of HSM-backed production CA. Keys excluded from git.

07 / 07
Summary

Secure identity at the production line

PKI + mTLS + audited key injection — foundation for vehicle-to-cloud and zero-trust manufacturing.

github.com/vgandhi1/automotive-key-provisioner ARCHITECTURE_PROVISIONING.md
View Repository →