Components of Amazon Sidewalk manufacturing
The following section describes the key components of Amazon Sidewalk manufacturing process.
Topics
- Device attestation key (
DAK) - Sidewalk certificates
- Hardware Security Module(
HSM) - Getting an HSM Provisioned
- Advertised product ID (
APID)
Device attestation key (DAK)
A Device Attestation Key acts as a certificate authority for a device type. It is used to endorse the device certificate for Sidewalk device authentication with the Sidewalk network server. For prototype devices, the cloud maintains a Prototype DAK which is used to sign the prototype device certificates. For devices that are manufactured in the Contract Manufacturer (CM), the Production DAK is provided in a Hardware Security Module (HSM).
The DAK is tied to the Sidewalk device profile created with AWS IoT Core for Amazon Sidewalk.
Sidewalk certificates
Sidewalk certificate chain
The Sidewalk certificate chain is a collection of certificates which consists of Amazon Root Certificate Authority (CA), multiple intermediate CAs including DAK and to sign and issue device certificates during device provisioning and manufacturing. It provides a chain of trust to the Amazon Root CA. When manufacturing your devices, the entire public certificate chain from device to root is uploaded during control log ingestion.
See Amazon Sidewalk protocol specification, section 4.1.2 Certificate chain for more details.
Application service key pair
This key pair is unique to each application server. It authenticates the application server with the Sidewalk device. Devices that connect to the same application server use the same application server key pair. The public key is located in the manufacturing data storage on your Sidewalk device.
Sidewalk network server certificate
This certificate is used to authenticate the Sidewalk network server with the device. All Sidewalk devices use the same Sidewalk network server certificate. This certificate is located in the Sidewalk SDK on your device.
Hardware Security Module (HSM)
The HSM is a hardened, tamper-resistant hardware device, allowing secure key management. To enable device manufacturing, the Amazon Sidewalk team provisions the DAK certificate, including the DAK private key onto the HSM. HSM is used during the provisioning process at the CM to orchestrate signing of the device certificates without exposing the DAK private key. HSM also includes the full intermediate public certificate chain up to Amazon Root. HSMs can be purchased from the YubiHSM webpage
Getting an HSM Provisioned to Support Mass Production of your Sidewalk Endpoint Device
When you are ready to start mass production, the Amazon Sidewalk team will need to prepare a physical HSM for you. Please submit the below information for the new Sidewalk device you have created to your Amazon Sidewalk Support contact:
- AWS account ID associated with the Sidewalk product
- Device Profile ID for the Sidewalk product
- Number of YubiHSMs to be provisioned
- Contact email for sending encrypted email with DAK PIN
- PGP public key for encrypting DAK PIN
- Return Shipping Address including name and contact phone number
- Shipping provider e.g. UPS, Fedex, DHL and account number
Advertised Product ID (APID)
The APID parameter is an alphanumeric string which is needed during manufacturing. APID is located in the manufacturing data storage on your Sidewalk device. After receiving HSM key from Sidewalk, you can obtain APID information from the AWS IoT console, or using the GetDeviceProfile API operation, or the get-device-profile CLI command that’s provided by AWS IoT Core for Amazon Sidewalk.
If you already have an APID (by interacting with other Amazon systems), Amazon can link it to your Amazon Sidewalk device profile for pre-production or production purposes. If you don’t already have an APID, Amazon will generate one and associate it with the device profile you provide.
For prototype devices, the DeviceTypeId must be used instead of the APID. The APID must be used only for production or pre-production devices.