Fully Automated Provisioning

by masa256k1 in November 11th, 2021

"Fully Automated Provisioning" is one of the core features of UNiD, which can fully automate device provisioning that used to be done manually. In this blog, I'd like to introduce how it works.

The typical flow

Typical Flow

In the typical flow, the provisioner generates key pairs of the device and registers the device with the device manager. The device manager applies the device's ID and public key to an intermediate CA to obtain a device certificate.

After the device registration, the provisioner injects the device's private key into the device, and the device creates JWT with the private key, and sends singed JWT to the MQTT broker.

The MQTT broker gets the device's public key from the device manager and verifies the signature to establish the connection.

Problem of the typical flow

In a typical flow, there is a vulnerability that the private key will be compromised from the provisioner. You will need to invest in a physical security environment and employee background checks for key injection to reduce the risk. Typically, key injection costs between $0.5 and $2.0 USD per device. After the key injection, you also need to develop the embedded software to protect and manage the private key on your devices.

To solve these issues, a hardware security module has been developed that can separate the execution area from the storage area from the application. This technology is called RoT.

The Typical RoT flow

Typical RoT Flow

In the RoT flow, the device generates a key pair in the h/w secure zone and passes the public key to the provisioner. The rest of the flow is the same as a typical flow. This approach eliminates the cost of the key injection but still requires you to trust the manufacturing line.

Problem of the typical RoT flow

There is still a vulnerability that the device IDs and public keys will be tampered or misused during the device registration. In the flow, you have no choice but to trust the provisioners, device manager, and intermediate CAs in your manufacturing line.

If you are going to build your own private PKI, you need to consider how to manage the private keys of intermediate CAs with HSMs, which can be costly.

How we can automate the provisioning process without any central provider or authorities in manufacturing line?

The DID and RoT Flow with UNiD

DID and RoT Flow

In the DID and RoT flow, the device generates a key pair in the h/w secure zone, computes the hash from the keys to create the payload, and registers the payload to the DPKI network based on blockchain. UNiD DPKI network is built on a blockchain-agnostic layer 2 protocol to support a globally scalable, immutable append-only log with no central provider or authorities to be censorship and tamper proof. The protocol is compliant with the W3C Decentralized Identifiers specification.

In the flow, you don't need to trust any intermediaries such as the provisioners and intermediate CAs. UNiD can fully automate provisioning process to eliminate the manual operation costs and vulnerabilities in manufacturing line.


In the typical RoT flow, you can reduce the key injection cost, but you always need to trust the intermediaries in your manufacturing line, which comes with high costs and vulnerability. UNiD can fully automate the provisioning process to remove the cost and vulnerability with digital trust.

You don't need to invest in the key injection, provisioners, or private PKI at all; purchase the MCU compatible with UNiD EDGE SDK, and it's all done for them.

To learn more about UNiD EDGE, please visit our GitHub, where we will feature a technical deep dive. Click the GitHub star 🌟 if you like!

Your cart