This example shows all steps for a onboarding process of a device to AWS IoT Core using the pre-provisioned credentials of the EdgeLock SE050 secure element.
AWS IoT authenticates client certificates using the TLS protocol's client authentication mode. In TLS client authentication, AWS IoT requests an X.509 client certificate and validates the certificate's status against a registry of certificates in the AWS account. It challenges the client for proof of ownership of the private key that corresponds to the public key contained in the certificate.
The secure element EdgeLock SE050 is used to securely store the private client keys and perform the client authentication.
AWS IoT supports these types of X.509 client certificates, all are supported by Edgelock SE050:
Only Option 3 supports the onboarding process of a device to AWS IoT Core using pre-provisioned credentials of a generic EdgeLock SE050. This option is known as “AWS IoT Core Multi-Account Registration” and generally available since 30th April 2020 and supported by the AWS CLI interface. Customer-specific configurations of Edgelock SE050 can even use Option 2 with pre-provisioned certificates.
The following hardware will be used for this demo:
 .. For further details see NXP “AN12570 Quick start guide with Raspberry Pi” chapter “2 Prepare your Raspberry Pi”. In the following sections, we will use the OM-SE050RPI adapter board.
Make sure the jumpers in your OM-SE050ARD board are configured as shown in the figure below (equal to the default configuration of OM-SE050ARD):
Stack the OM-SE050ARD with the adapter board to the Raspberry Pi
Alternative it is possible to connect the OM-SE050ARD via wires to the Raspberry Pi board as shown in the figure below:
This section explains how to get your Raspberry Pi ready to execute the EdgeLock SE050 Plug & Trust middleware.
Enable I2C if not yet enabled on your Raspberry Pi.
If does not list i2c-1, I2C needs to be enabled for your board.
Use the down arrow to select Interfacing Options. Follow instructions and Enable I2C.
Create a new folder called se050_ middleware:
Install the required build tools, if the image does not have them already.
Unzip the EdgeLock SE050 Plug & Trust middleware in the se050_middleware folder:
Run the following commands to build OpenSSL engine for SE050. For further details see please “AN12570 Quick start guide with Raspberry Pi” chapter “3.2 Build EdgeLock SE050 Plug & Trust middleware”. If the hostname is “raspberrypi” automatically the config for a Raspberry Pi is created:
In this example, the SE050 Python-based ssscli tool is used to extract the credentials of the EdgeLock SE050. The following steps are needed before running the ssscli tool and needed
are needed once per installation.
To install ssscli tool, run the following commands once:
To install the AWS CLI tool, run the following commands once:
Add AWS CLI executable to your Command-Line Path:
Confirm the AWS CLI tool was successful installed:
To access AWS, you will need to sign up for an AWS account.
Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them by using the IAM console at https://console.aws.amazon.com/iam/-.
To get your access key ID and secret access key:
You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI.
Run the following command to quickly set your credentials, region, and output format:
We will be using ECC credentials in this example, the key with ID 0xF0000100 and the corresponding certificate at ID 0xF0000101. You can use any of the available certificates that are pre-provisioned in your EdgeLock SE050. Please refer to AN12436 - SE050 Configurations for a list of available key and certificate IDs.
Create a folder to store the EdgeLock SE050 credentials:
Using pySSSCLI Tool, read out the device certificate.
The private device key is securely stored inside the EdgeLock SE050 and cannot be readout.
The EdgeLock SE050 Device Reference Key is used by the OpenSSL Engine to invoke the SE050 private key operation.
Using pySSSCLI Tool, read out the device reference key.
Use the AWS CLI Tool to register the extracted device certificate on to your AWS IoT Console.
The command line options are:
Execute the following command:
This command returns the certificate ANR and ANR ID. A certificate Amazon Resource Name (ARN) uniquely identifies this certificate. You can open the AWS IoT console to check if the certificate was successfully registered.
First, create a JSON document “se050_raspi_policy.json” with the following content.
Note: this policy allows for demo purpose access to all iot actions on all resources.
using for example the nano editor. The following command creates an empty file.
Copypaste the content into the text editor and save the file.
Use the AWS CLI Tool to create the policy on your AWS IoT Console.
You can open the AWS IoT console to check if the policy was successfully created.
Attaching an AWS IoT Core policy to a certificate gives the device connecting with this certificate the permissions specified in the policy.
Use the AWS CLI Tool to attach the policy to the device certificate.
Run the following command to print out your AWS’ user’s endpoint address. This will be used later:
Alterative you can obtain the customer AWS IoT endpoint using the AWS IoT console.
Navigate to demos/linux/aws_eou directory and execute the buildScript.sh. This will build the project iot_demo_mqtt.
Copy all SE50 credentials into the example output/bin folder:
To let openSSL use the engine set the openssl config path to point to the preconfigured config file:
Navigate to demos binary folder:
Run the demo with specifying your endpoint URL and certificate + key files:
Go to the AWS IoT Core dashboard and subscribe to the following topic:
The MQTT topic you subscribed will now appear in the Subscriptions section as
shown in the figure below.