SECURITY April 28, 2026 · 9 min read

Secure factory provisioning: PKI for industrial IoT

How to securely identify millions of devices — without compromising at the factory.

Every connected device needs a unique identity to be trusted by your cloud. But how do you give 100,000 devices their identity without compromising security on the factory floor? Here's the playbook we use.

The problem: from anonymous chip to trusted device

A microcontroller leaves the foundry with no identity. It needs:

  • A unique cryptographic key pair (private key never extractable)
  • A certificate signed by your Certificate Authority (CA)
  • Initial configuration (server URL, network credentials, etc.)

And all this must happen at the factory, often in a third-party contract manufacturer's facility, possibly in a different country. How do you do this without:

  • Leaking your CA private key
  • Letting factory workers steal keys
  • Allowing counterfeits to provision themselves

The naive approach (don't do this)

Ship a USB key to the factory with your CA private key. Have factory workers generate certificates per device. Problem: the CA key is now sitting in a factory in Shenzhen, accessible to anyone with physical access. The whole product line can be cloned.

The right approach: Hardware Security Modules (HSM)

The CA private key never leaves an HSM — a tamper-resistant hardware device. Two main patterns:

Pattern 1: HSM at the factory

A networked HSM (Thales, Utimaco, AWS CloudHSM) is physically deployed at the factory. Each device generates its own key pair locally (using its secure element), sends a CSR (Certificate Signing Request) to the HSM, receives a signed certificate. The CA key never leaves the HSM.

Trade-offs: requires physical HSM presence (cost, logistics), works offline (good for factories without good cloud connectivity).

Pattern 2: Cloud HSM with bounded provisioning

The HSM lives in your cloud (AWS CloudHSM, Azure Key Vault HSM). The factory's provisioning workstation has a time-bounded credential to request certificates. Each request is authenticated and rate-limited.

Trade-offs: requires good cloud connectivity at the factory, but easier to manage centrally and audit.

Secure Elements: the device-side requirement

Even with a strong CA, you need each device to protect its own private key. This requires a Secure Element (SE) or built-in Hardware Security:

  • Discrete SE: NXP A1006, Infineon Optiga, ATECC608A. Cost: $0.30-1.50 per device.
  • Built-in in MCU: Microchip CryptoAuth, NXP MCUXpresso, STM32 with TrustZone
  • Built-in in cellular module: Quectel, Telit, u-blox with embedded SE

The SE generates the private key internally; it never exists in software memory. Compromising one device only compromises that device.

The full provisioning flow

  1. SE generates private key + certificate signing request (CSR) on device
  2. Factory station collects CSR, sends to HSM (local or cloud) for signing
  3. HSM verifies factory station authorisation, signs certificate
  4. Certificate written back to device's SE
  5. Device added to fleet management system, ready to ship

Auditing and revocation

Plan from day one:

  • Every provisioned certificate is logged with serial number, timestamp, factory location
  • Certificate Revocation Lists (CRLs) or OCSP allow you to revoke compromised devices
  • Quarterly audits verify factory provisioning logs match shipped quantities

Building a secure IoT product?

Factory provisioning is one of the trickiest parts. We help you design it right from the start.

Talk to engineering →
← All insights