There are an estimated 15 billion IoT devices connected today. By 2030, that number reaches 30 billion. Each one needs to prove its identity — to cloud platforms, to gateways, to other devices, and to the humans who manage them.
Passwords don’t work at IoT scale (can’t type a password into a sensor). Shared secrets don’t work (compromise one device, compromise all). API keys don’t work (no revocation, no expiry, no identity binding).
Certificates work. A unique X.509 certificate per device provides: cryptographic identity (this device is genuine), encrypted communication (TLS/DTLS), mutual authentication (device proves identity to cloud, cloud proves identity to device), and lifecycle management (expiry, renewal, revocation).
But IoT certificate management is fundamentally different from server certificate management. Devices are constrained (limited CPU, memory, bandwidth). They’re deployed for decades (not months). They’re often unreachable (no always-on internet). And there are millions of them (not hundreds).
The IoT Identity Architecture
Device Identity Types
| Identity Type | What It Proves | Issued When | Lifetime |
|---|---|---|---|
| IDevID (Initial Device Identity) | “I am a genuine device from manufacturer X” | At manufacturing | Device lifetime (20+ years) |
| LDevID (Locally Significant Device Identity) | “I am authorized to operate in environment Y” | At deployment/provisioning | Operational period (1-5 years) |
| Session credential | ”I am authorized for this specific session” | At each connection | Minutes to hours |
The layered model:
IDevID (permanent, from manufacturer)
→ proves device is genuine hardware
→ used to bootstrap trust for LDevID enrollment
LDevID (operational, from device owner)
→ proves device is authorized in this network
→ used for mTLS to cloud platform
→ renewed periodically (if device can reach CA)
Session token (ephemeral, from auth server)
→ proves device is authorized for specific actions
→ short-lived, limits blast radius of compromiseProvisioning at Manufacturing Scale
The Challenge
A factory produces 10,000 devices per day. Each needs a unique certificate with a unique key pair. The private key must be generated inside the device’s secure element (never exposed). The certificate must be signed by the organization’s CA. All in the time it takes to assemble and test the device (~30 seconds on the production line).
The Solution: Secure Element + Manufacturing CA
Production Line Flow:
1. Device assembled with secure element (ATECC608, TPM, TrustZone)
2. Secure element generates key pair internally (private key never leaves chip)
3. Secure element outputs public key + device serial number
4. Manufacturing station sends CSR to CA (containing public key + serial)
5. CA signs certificate (IDevID) — binds public key to device identity
6. Certificate written to device secure storage
7. Device tested and shipped
Time per device: ~2-5 seconds for crypto operations
Throughput: 10,000+ devices/day per production lineImplementation with AWS IoT Core
# Register manufacturing CA with IoT Core
aws iot register-ca-certificate \
--ca-certificate file://manufacturing-ca.pem \
--verification-certificate file://verification.pem \
--set-as-active
# Enable Just-In-Time Registration (JITR)
# When a device connects with a cert signed by this CA,
# IoT Core automatically registers it
aws iot update-ca-certificate \
--certificate-id <ca-cert-id> \
--new-auto-registration-status ENABLE
# Device connects with its IDevID certificate → auto-registered
# No per-device registration needed at manufacturing timeImplementation with Azure IoT Hub DPS
{
"enrollmentGroupId": "factory-sensors-2026",
"attestation": {
"type": "x509",
"x509": {
"signingCertificates": {
"primary": {
"certificate": "<manufacturing-intermediate-ca-pem>"
}
}
}
},
"allocationPolicy": "hashed",
"iotHubs": ["hub-us-east.azure-devices.net", "hub-eu-west.azure-devices.net"]
}Any device with a certificate signed by the manufacturing CA is automatically provisioned to the correct IoT Hub based on allocation policy.
Certificate Renewal on Constrained Devices
The Problem
Server certificates renew every 90 days via ACME. IoT devices can’t do this because:
- Intermittent connectivity: Device connects once per day (or less) for 30 seconds
- Constrained compute: Can’t run a full ACME client (too much code, too much memory)
- No DNS control: Device can’t create DNS records for DNS-01 challenges
- Long deployment: Device may be in the field for 10-20 years
- Unreachable: No inbound connectivity (behind NAT, cellular, LoRaWAN)
Solutions
Option 1: Long-lived certificates (simplest)
Issue certificate with 5-10 year validity
Accept the risk: if key is compromised, certificate is valid for years
Mitigate with: device attestation, behavioral monitoring, network segmentation
Best for: low-risk devices, air-gapped environmentsOption 2: EST re-enrollment (when device is online)
Device has existing certificate (LDevID)
When online: POST to EST server /.well-known/est/simplereenroll
Authenticate with current certificate (mTLS)
Receive new certificate
Install and switch
Best for: devices with periodic connectivity (daily check-in)
Requires: EST server reachable from device networkOption 3: Short-lived certificates + offline tolerance
Issue 30-day certificate
Device caches certificate locally
Renew when online (at 2/3 lifetime = day 20)
If offline for >30 days: certificate expires, device enters "re-enrollment" mode
Re-enrollment uses IDevID (permanent) to authenticate and get new LDevID
Best for: devices with mostly-reliable connectivity
Risk: device goes offline for extended period → loses operational identityOption 4: Cloud-managed renewal (platform handles it)
AWS IoT Core / Azure IoT Hub manages certificate lifecycle
Platform issues short-lived credentials at each connection
Device presents IDevID → platform returns session certificate
No long-lived operational certificate on device
Best for: devices that connect frequently (hourly/daily)
Requires: reliable connectivity to cloud platformRevocation at IoT Scale
The CRL Problem
You revoke 10,000 compromised device certificates. The CRL now has 10,000 entries. Every device that checks revocation must download this list over constrained bandwidth (cellular, LoRaWAN, satellite).
Math: 10,000 entries × ~50 bytes each = 500 KB CRL. Over NB-IoT (50 kbps): 80 seconds to download. Over LoRaWAN (0.3 kbps): 3.7 hours. Impractical.
Solutions
Short-lived certificates (best):
If certificates are valid for 24 hours:
- Compromised device can't renew (CA refuses)
- Certificate expires naturally within 24 hours
- No CRL needed — expiry IS the revocation mechanism
- Requires: device can reach CA at least once per dayOCSP stapling (for gateway-connected devices):
Gateway checks OCSP for each device certificate
Devices don't check revocation themselves
Gateway blocks revoked devices at the network edge
Requires: gateway with OCSP capability and connectivityAllowlist instead of blocklist:
Instead of "these 10,000 devices are revoked" (CRL)
Maintain "these 50,000 devices are authorized" (allowlist)
Smaller, more manageable for constrained environments
Updated at gateway/platform level, not on each deviceSecure Elements: The Hardware Root of Trust
The private key must be protected from extraction. Software-stored keys on IoT devices are trivially extractable (JTAG, firmware dump, flash read). Secure elements solve this:
| Secure Element | Key Storage | Crypto Operations | Cost | Use Case |
|---|---|---|---|---|
| Microchip ATECC608 | ECC P-256 keys | ECDSA sign/verify, ECDH | ~$0.50 | Low-cost IoT sensors |
| Infineon OPTIGA Trust | RSA + ECC keys | Sign, verify, encrypt | ~$1-2 | Industrial IoT |
| NXP SE050 | Multiple key types | Full crypto suite | ~$2-3 | High-security IoT |
| ARM TrustZone | Software-isolated keys | Depends on implementation | $0 (built into SoC) | Application processors |
| TPM 2.0 | RSA + ECC keys | Full crypto suite | ~$2-5 | Industrial, automotive |
The critical property: Private key is generated INSIDE the secure element and CANNOT be read out. Only signing/decryption operations can be performed — the key material never leaves the chip.
Standards and Protocols for IoT Identity
| Standard/Protocol | Purpose | Best For |
|---|---|---|
| IEEE 802.1AR (IDevID/LDevID) | Device identity framework | Manufacturing identity |
| EST (RFC 7030) | Certificate enrollment/renewal | Devices with HTTPS capability |
| SCEP | Simple enrollment | Legacy network devices |
| LwM2M | Device management + bootstrap | Constrained IoT (CoAP-based) |
| Matter (smart home) | Device attestation + commissioning | Consumer IoT |
| IEC 62443 | Industrial security | OT/ICS devices |
| ETSI EN 303 645 | Consumer IoT security | EU consumer devices |
FAQ
Q: Do all IoT devices need certificates? A: Any device that communicates over a network should have a cryptographic identity. For devices on isolated networks with no external connectivity (some industrial sensors), simpler authentication may suffice. But for any device connecting to cloud platforms, the internet, or untrusted networks — certificates are the standard.
Q: What about devices too constrained for TLS? A: Use DTLS (Datagram TLS) for UDP-based protocols, or (D)TLS with pre-shared keys for the most constrained devices. Some devices use CoAP with OSCORE (object-level security) instead of transport-level TLS. The principle remains: cryptographic identity, just with lighter protocols.
Q: How do I handle devices that can’t be updated? A: This is the hardest problem in IoT security. Devices with no update mechanism and long-lived certificates are permanently vulnerable if the algorithm is broken. Mitigations: network segmentation (isolate legacy devices), gateway-based security (proxy handles crypto), and planned obsolescence (replace devices that can’t be secured).
Q: What’s the cost of per-device certificates at scale? A: Using a private CA (Vault PKI, AWS Private CA, EJBCA): $0.001-$0.75 per certificate depending on platform. The secure element hardware adds $0.50-$5 per device. At 1 million devices: $500K-$5M for secure elements + negligible certificate cost. The alternative (no device identity) costs more in breaches, recalls, and reputation damage.
Q: Should I use RSA or ECC for IoT device certificates? A: ECC (P-256) exclusively. RSA keys are too large for constrained devices (256 bytes vs 32 bytes), operations are too slow, and there’s no security benefit. Every modern secure element supports ECC P-256. RSA has no place in IoT.