Factory-floor device provisioning: each vehicle receives a unique cryptographic identity injected securely over mutual TLS — before leaving the production line.
Connected vehicles require a strong private key + certificate for cloud and zero-trust operations. Provisioning must be secure, auditable, and automatable.
Keys sent unencrypted over the factory LAN can be intercepted on the wire.
Unauthorized endpoints could request identities without bootstrap trust.
Without durable logs, compliance and incident response are weak.
Only legitimate factory devices receive a permanent identity. Keys never travel in the clear. Every provisioning event is logged.
Bootstrap cert is pre-installed on hardware. Factory CA issues the permanent device identity at provisioning time.
Device presents Factory CA–signed bootstrap identity.
Mutual TLS 1.3 tunnel established (AES-GCM).
Server generates secp256r1 keypair, signs device cert with Factory CA.
Private key + cert returned inside tunnel; server zeroes key from RAM.
Client writes to certs/device_enclave/ with chmod 400. Audit log updated.
| Threat | Mitigation |
|---|---|
| Network sniffing | Key material only inside mutually authenticated TLS 1.3 |
| Rogue device | Server requires valid bootstrap cert chaining to Root CA |
| Insider / server compromise | Server deletes device private key after delivery; SQLite audit log |
Chain validation · mTLS negative (no client cert rejected) · injected key signs and verifies.
CA setup → mTLS server → key injection → audit DB + Docker deployment.
python3 ca/scripts/setup_ca.py python3 -m uvicorn server.factory_server:app --host 0.0.0.0 --port 8443 \ --ssl-keyfile certs/server/server.key --ssl-certfile certs/server/server.crt \ --ssl-cert-reqs 2 --ssl-ca-certs ca/root_ca/ca.crt python3 -m client.device_client VIN12345 --url https://localhost:8443 # → certs/device_enclave/VIN12345.key + VIN12345.crt (chmod 400)
Proof-of-concept — local PKI in place of HSM-backed production CA. Keys excluded from git.
PKI + mTLS + audited key injection — foundation for vehicle-to-cloud and zero-trust manufacturing.