The following section describes the key components of Amazon Sidewalk manufacturing process.
- Device attestation key (
- Sidewalk certificates
- Hardware Security Module(
- Advertised product ID (
The device attestation key (DAK) is a certificate that is endorsed by the product certificate. It is used to endorse the device certificates that authenticate the Sidewalk device with the Sidewalk network server. For prototype devices, the cloud maintains a Prototype DAK which is used to sign the prototype device certificates. For devices that are manufactured in the Contract Manufacturer (CM), the Production DAK is provided in a Hardware Security Module (HSM).
The DAK is tied to the Sidewalk device profile created with AWS IoT Core for Amazon Sidewalk.
Sidewalk certificate chain
The Sidewalk certificate chain is a collection of certificates which consists of Amazon Root Certificate Authority (CA), multiple intermediate CAs including DAK and leaf certificate which corresponds to Device certificates. It provides a chain of trust to the Amazon Root CA. When manufacturing your devices, the entire public certificate chain from device to root is uploaded during control log ingestion.
Application service key pair
This key pair is unique to each application server. It authenticates the application server with the Sidewalk device. Devices that connect to the same application server use the same application server key pair. The public key is located in the manufacturing data storage on your Sidewalk device.
Sidewalk network server certificate
This certificate is used to authenticate the Sidewalk network server with the device. All Sidewalk devices use the same Sidewalk network server certificate. This certificate is located in the Sidewalk SDK on your device.
HSM is a secure hardware key-store for the manufacturing industry. To enable device manufacturing for a product, Sidewalk provisions the DAK certificate including the DAK private key onto the HSM. HSM is used during provisioning process at the CM to orchestrate signing of the device certificates without exposing the DAK private key. HSM also includes the full intermediate public certificate chain up to Amazon Root. HSM can be purchased from the YubiHSM webpage
For more information about starting manufacturing and requesting the HSM key, contact Amazon Sidewalk Support.
APID parameter is an alphanumeric string which is needed during manufacturing. APID is located in the manufacturing data storage on your Sidewalk device. After receiving HSM key from Sidewalk, you would be able to obtain APID information from the AWS IoT console, or using the GetDeviceProfile API opertation, or the get-device-profile CLI command that’s provided by AWS IoT Core for Amazon Sidewalk.
If customer already has an APID (by interacting with other Amazon systems), Sidewalk team can link it to customer’s Sidewalk device proﬁle for pre-production or production purposes. In absence of customer provided APID, Sidewalk team would generate one and associate it with the given device profile.
For prototype devices, the DeviceTypeId must be used instead of the ApId. The ApId must be used only for production or pre-production devices.