Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Using Digital Certificates for IoT Root of Trust

Internet of Things (IoT)

IoT implementations share common security requirements: a trusted device identity, data confidentiality, and integrity of data and firmware running on the device. These translate into authentication, encryption and code signing.

However, without a mechanism to establish initial identities, then securely update credentials, cryptography, and firmware from any location, your IoT security strategy is left with a major hole.

Public key infrastructure (PKI) addresses this in-field commissioning challenge by using digital certificates to secure over the air updates for millions of connected devices. By cryptographically binding an identity to hardware, devices can authenticate connections, encrypt data, and verify the integrity of code executed on the device.

PKI and Digital Certificates for IoT

Every certificate eventually ties into a Root of Trust (RoT), which is the foundation for PKI. A properly established root certificate authority (CA) is paramount to ensure trust is maintained throughout the product lifecycle. The root CA establishes trust within the IoT devices and all other entities that are authorized to create secure connections with the device.

From the second the root is created, a chain of custody is established, which must remain intact from the minute it’s incepted throughout its lifetime. If this chain of custody is broken at any time, every device is potentially at risk.

For this reason, digital certificates have been widely adopted to secure low-power, high-volume connected products, with the flexibility to meet the requirements of most IoT devices.

Bootstrap Certificate Implementation

The following describes a method of establishing digital identities within IoT devices using bootstrap certificates and a registration handling vetting process.

These steps provide a process for establishing initial unique device identities via a bootstrap certificate during manufacturing. This process can be vetted to ultimately issue a full identity certificate when the IoT device is fully commissioned.

bootstrap (1)


An initial certificate is generated on each device using on device key generation (ODKG).


A bootstrap identity certificate can be generated as a self-signed certificate, and also doesn’t have to be chained to a RoT yet, without requiring a full-fledged Certificate Authority (CA).


When the device is created on the manufacturing line, sufficient information/metadata is collected about the device to be used in the future for the vetting process.


After the vehicle is turned on for the first time or during QA/testing, a registration request is processed and presented along with specific manufacturing information.


The bootstrap certificate in each device is replaced with a real certificate only after the registration handling process has been completed successfully.


The device is fully provisioned, and the official certificate is activated. Now whenever the vehicle is started, it could validate the digital identity against the RoT using built-in signature verification.


Now with Keyfactor’s certificate lifecycle automation capabilities, companies can re-enroll/replace/revoke these identity certificates over the lifetime of the device and replace credentials as needed.

PKI for IoT

Companies that provide strong identity for their IoT devices at scale can deliver to market faster and more securely, differentiate their products, and increase visibility across the IoT supply chain to prevent fraud and mitigate widespread attacks.

Download the Zero Trust Manufacturing eBook to see how use digital certificates to establish digital trust throughout your manufacturing supply chain.

headshot of wael altaqi

Wael Altaqi

Senior Solutions Engineer