Provision AVS devices for FFS
For user security, you must have signed certificates for your Frustration-Free Setup (FFS) enabled devices. Use Device Attestation Keys (DAK) to sign your device certificates. The following instructions describe how to use a software-based DAK to sign the certificates for an FFS device during the manufacturing process for development or production.
Process overview
The following steps give a high-level overview of the provisioning process for an FFS-enabled device:
- Register your product in the Alexa Voice Service (AVS) developer console and onboard your product to FFS.
- From the AVS developer console, create a DAK key for your device type.
- Generate Device Hardware Authentication (DHA) certificates for each individual device, and provision the devices during manufacturing.
Step 1: Register and onboard your product for FFS
To register and onboard your product with FFS
- If you haven't already done so, register your product in the AVS developer console. For instructions, see Register a Product with AVS.
- Sign in to the AVS Developer Console.
-
On the Product Details page for your product, select the Alexa app using Frustration-Free Setup option.
FFS Setup option After you create or update your product to use the Alexa app using Frustration-Free Setup option, you should see a new Device Setup tab.
Step 2: Create DAK for the device type
To create a DAK for a device type
- Click the Device Setup tab for your product.
-
Under Device Provisioning, follow the prompts to create and download the new DAK certificate files:
Note: Perform the following steps to create DAK certificate files once for each device type.- From the Manage Keys section, download the
dak.conf
file. - Open a terminal window on your computer.
-
On the command line, enter the following command sequence to generate
dak_private_key.pem
anddak.csr
files from thedak.conf
file:$ openssl ecparam -name prime256v1 > dak-params.pem $ openssl req -new -nodes -config dak.conf -newkey ec:dak-params.pem -keyout dak_private_key.pem -out dak.csr
- In your web browser, go back to the Manage Keys section, and upload the
dak.csr
file that you just generated. - On the Manage Keys section, download the
dak-certificate.pem
anddevice.conf
files.
- From the Manage Keys section, download the
Step 3: Generate DHA certificates and provision the devices
To generate a DHA certificate for a device to be provisioned
- On the command line, enter the following command sequence:
$ openssl ecparam -name prime256v1 > dak-params.pem $ openssl req -new -nodes -config device.conf -newkey ec:dak-params.pem -keyout private_key.pem -out device.csr
-
At the manufacturing line station, open a terminal window, sign the private key by using the DAK you downloaded from Amazon, and then generate the DHA certificate chain file.
Using the
device.csr
,device.conf
,dak-certificate.pem
, anddak_private_key.pem
files as inputs, enter the following command on the command line:$ openssl x509 -req -in device.csr -extfile device.conf -extensions req_ext -CA dak-certificate.pem -CAkey dak_private_key.pem -days 1825 -out device-certificate.pem -outform PEM -CAcreateserial -sha256 $ cat device-certificate-XXXXXX.pem dak-certificate.pem > certificate.pem
- As part of the device manufacturing process, perform the following two steps:
-
Enter the following command to extract a DHA public key from the DHA certificate for authentication:
$ openssl x509 -in device-certificate-XXXXXX.pem -pubkey -noout | openssl enc -base64 -d | openssl enc -base64 > dha-control-log-public-key.txt
-
Generate a device identification value for a 1D barcode on the device packaging to enable the Amazon fulfillment center to pre-register the device to a user account.
-
-
As part of your manufacturing process, generate and upload the device control logs to Amazon.
These logs contain the device DHA public key and device identification value.
- For more details about the device control logs, see the Device Control Log Specification.
- For details about the 1D barcode specification, see the 1D barcode requirements.
Private-keys security best practices
You're responsible for the security of the generated private keys for your devices. Amazon recommends creating the DHA key in a secure area of for your device. For example, if you're implementing Amazon Common Software (ACS), you can replace the openssl
with the following commands:
-
Generate the DHAv2 key:
$ ace hal dha key_gen
-
Generate the CSR file:
$ ace hal dha get_field 0x201 > ${device_name}.csr
-
Sign the CSR:
$ openssl x509 -req -in ${device_name}.csr -extfile device.conf -extensions req_ext -CA dak-certificate.pem -CAkey dak-private-key.pem -days 1825 -out device-certificate.pem -outform PEM -CAcreateserial -sha256 $ cat device-certificate.pem dak-certificate.pem > /data/${device_name}.pem
-
Set the signed CSR file:
$ ace hal dha set_cert /data/${device_name}.pem
-
Read the certificate chain, and upload the control log:
$ ace hal dha get_field 0x202
Related topics
- About FFS for AVS
- Get Started with Frustration-Free Setup (FFS)
- Self-test your Frustration-Free Setup (FFS) implementation
- FAQ for FFS
Last updated: Mar 04, 2021