Skip to main content Link Menu Expand (external link) Document Search Copy Copied

How to manufacture and bulk produce Sidewalk devices

This section describes how to mass manufacture your Sidewalk-enabled products for production. You’ll learn about the pre-requisites and tools that are used, and the steps that are performed in manufacturing your devices. It also contains information about the steps that you must perform and the steps that must be performed by the CM.


Required toolkit

To manufacture your Sidewalk devices with AWS IoT Core for Amazon Sidewalk, a collection of tools run on one or more Ubuntu or Windows-based machines. The following tools are required for mass manufacturing:

  • OpenSSL
    OpenSSL version 1.1.1 or greater. OpenSSL with Ed25519 support is required.
  • Sidewalk signing tool
    The Sidewalk signing tool takes a Sidewalk CSR as input for each of the required elliptic curves, and returns a signed certificate chain for the specified EC. To get access to the latest version of the tool, contact Amazon Sidewalk support.

    The signing tool can run on a single machine or distributed in a client-server setup. Running the tool on a single machine can be useful when testing a single line of manufacturing. When you want multiple clients to use a single HSM, you distribute the tool in a client-server setup.

  • YubiHSM connector
    The YubiHSM connector, yubihsm-connector, is a back-end application that’s required to communicate with the HSM token.
  • Nginx
    Nginx is a web server that’s required when you’re using the client-server setup. This tool serves as a reverse proxy for the YubiHSM connector. It controls access to the yubihsm-connector, such as mutually authenticated TLS providing a secure connection between the components.

HSMs for Sidewalk signing tool

When manufacturing your Sidewalk devices, each Sidewalk-enabled device that joins the Sidewalk network must be provisioned with a Sidewalk device certificate. The HSM that’s issued for use with the Sidewalk signing tool has these two major components.

  • The public portions of the device certificates, or the Sidewalk certificate chain. It consists of four certificates up to the Amazon root, and provides a path of valid certificates, or chain of trust, to the Amazon Root CA. After the device certificates have been generated, the public device information must be uploaded to Amazon using control log ingestion.
  • The private key (DAK), that will be stored in the device.

For more information, see Device attestation key (DAK).


  • Printed circuit board assembly (PCBA) with a supported chipset. When testing HSM-based provisioning, you can use a Sidewalk hardware development kit (HDK).
  • HSM specifically created for your Sidewalk product by Amazon. Amazon can provide multiple HSMs per product, if needed. Each HSM is identified by a unique serial number, YubiHSM SN, that is printed on the side that does not have the USB contacts. For information about purchasing a YubiHSM, see YubiHSM. The number of YubiHSM needed is based on the mode of operation, as described in Step 1: Setting up the host. For more information, see the HSM section.
  • HSM vendor-provided SDK. For more information, see YubiHSM2 releases.
  • Sidewalk device profile that’s factory supported and qualified for production. The Sidewalk signing tool requires the APID information from the created profile.
  • Computer or native machine running Ubuntu 20.04 or Windows 10.
  • Sidewalk signing tool, which corresponds to the Python script To get access to the latest version of the tool, contact Amazon Sidewalk support.
  • Python interpreter (version 3.8 or above), which is required by the signing tool.

Manufacturing workflow overview

The following describes the steps that are involved in mass manufacturing your Sidewalk devices. You’ll also learn more about the steps that you need to perform and the steps performed by the contract manufacturer (CM) in the manufacturing workflow.

You need to create a Sidewalk device profile and obtain factory support so that it’s qualified for production use. The CM then sets up the required tools on the host machines, and runs the Sidewalk signing tool to obtain the certificates and generate the control logs. The CM also uploads these logs to Amazon Sidewalk using EDI or an SFTP endpoint, after which you receive a CSV file. You’ll then upload this CSV file to an S3 bucket and use AWS IoT Core for Amazon Sidewalk to bulk provision your Sidewalk devices.

For more information, see How Amazon Sidewalk manufacturing works.

  • Step 1: Setting up the host

    The contract manufacturer (CM) sets up the required tools on the host machines for manufacturing your Sidewalk devices. You don’t need to take any action.

  • Step 2: Provisioning with CSR and Sidewalk Signing tool

    You create a prototype device profile and request the Amazon Sidewalk team to provide factory support. The CM then generates the CSRs, runs the YubiHSM connector in the background, and uses the Sidewalk signing tool to return the encoded and signed Sidewalk certificate chains.

  • Step 3: Constructing and uploading Sidewalk control logs

    The CM then uses the signing tools to generate and consolidate the control logs, which is then uploaded to Amazon Sidewalk using EDI or an SFTP point. You’ll then receive an email with a CSV file attached that contains the status information.

You can now upload the CSV file received to an S3 bucket and provide the information to AWS IoT Core for Amazon Sidewalk for bulk provisioning. If AWS IoT Core for Amazon Sidewalk finds a match in the serial numbers between the CSV file and the control logs that it receives from Amazon Sidewalk, the corresponding devices are then provisioned.

The following sections describe each of these steps in additional detail.

Back to top

©2023, Inc. or its affiliates (collectively, “Amazon”). All Rights Reserved.