Consumer Tier 3 — Birth Certificate
App-assisted onboarding with manufacturer-issued birth certificates and device-generated keys via EST.
This is the highest security tier. The manufacturer operates their own PKI and issues a birth certificate to each device during production. The device generates all keypairs on-chip — private keys never leave the device. At setup time, a customer app provisions the device, and the device uses its birth certificate to authenticate with EST via mTLS and submits a CSR for a Glaze operational certificate.
Use Tier 3 when the manufacturer operates a PKI and the device has hardware-backed key generation (e.g., a secure element or TPM). This provides the strongest identity guarantee: the birth certificate proves hardware authenticity, and the operational private key never leaves the chip. Recommended for critical infrastructure, energy systems, and high-value assets.
Prerequisites
Manufacturer:
- Operate a PKI (Root CA + Intermediate CA)
- Share the manufacturer Root CA certificate with Glaze (one-time trust setup)
- Sign a birth certificate for each device during production
- Flash each device with: birth certificate, manufacturer CA chain, EST URL, Glaze Root CA certificate
- Register device manifest with the Glaze registry (serial, cert fingerprint, hardware revision, batch)
Platform:
- Beacon Tower EST server deployed and configured to trust the manufacturer Root CA
- Glaze CA operational
- Device Registry accessible from EST server
Device hardware:
- On-chip key generation (secure element, TPM, or equivalent)
- mbedTLS or similar with CSR (PKCS#10) capability
- Network connectivity (WiFi via BLE/SoftAP provisioning)
- Persistent secure storage for certificates
Sequence Diagram
Flow Walkthrough
Manufacturing
On the production line:
- Device generates birth keypair — The device generates an asymmetric keypair on-chip. The private key never leaves the secure element.
- CSR signed by manufacturer CA — The device exports a CSR containing its serial number and public key. The factory sends this to the manufacturer CA, which returns a signed birth certificate.
- Device flashed — The birth certificate, manufacturer CA chain, EST URL, and Glaze Root CA are written to the device.
- Registry updated — The factory registers the device manifest (serial, certificate fingerprint, hardware revision, batch) with the Glaze registry.
Step 1: Provision via App
The customer app scans the device and calls the Provision API:
curl -X POST https://<onboarding-host>/api/provisioning \
-H "Authorization: Bearer $APP_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"device_id": "MFG-SN-2026-00042",
"enrollment_group_id": "<enrollment-group-uuid>"
}'
The enrollment group defines the tenant, attestation type (birth certificate), and provider configuration. The call is idempotent — returns 201 Created for new devices or 200 OK if already provisioned.
The app provides WiFi credentials to the device over BLE or SoftAP.
Step 2: EST Enrollment
-
Fetch CA chain —
GET /.well-known/est/cacertsreturns the Glaze CA chain. -
mTLS with birth cert — The device presents its manufacturer birth certificate as the TLS client certificate. EST verifies the chain against the manufacturer Root CA and looks up the device serial in the registry.
-
Generate operational keypair — The device generates a new keypair on-chip for the operational certificate. This is separate from the birth keypair.
-
Submit CSR —
POST /.well-known/est/simpleenrollwith a PKCS#10 CSR signed by the new private key. EST validates the CSR signature and sends it to the Glaze CA for signing. -
Receive operational cert — EST returns the signed operational certificate (PKCS#7), broker URL, and MQTT configuration. The device stores the operational cert alongside its birth cert (retained for factory reset scenarios).
Step 3: Connect to Broker
The device connects to Mosquitto using mTLS with the Glaze-issued operational certificate and the on-chip private key. The broker extracts the device identity from CN and the tenant from OU for ACL enforcement.
Step 4: Certificate Renewal
Renewal can be triggered by:
- Timer — The device tracks certificate expiry and renews proactively
- MQTT command — The platform sends a renewal command via the command topic
- Reboot — The device checks certificate validity on startup
For each renewal, the device generates a fresh keypair on-chip, submits a new CSR via POST /.well-known/est/simplereenroll, and receives a new 90-day certificate.
Lifecycle Operations
The four steps above cover the device-driven happy path. The operations below cover the rest of the lifecycle — admin-driven (revoke, disable, approval gating), device-driven recovery from session loss or shard rotation, and factory-reset recovery when the operational certificate is lost.
Session-loss recovery / shard rotation — POST /reenroll
Used when the device still holds a valid operational certificate but its MQTT session is broken — broker refused CONNECT, MQTT 5 reason 0x82 (session-taken-over) / 0x9C (use-another-server), or the device woke up after a fleet rebalance and its provider shard moved.
Distinct from Step 4 above: Step 4 is "my cert is expiring, give me a new one." /reenroll is "my cert is fine, tell me where to connect."
POST /reenroll
(mTLS with current operational cert)
| Status | Meaning |
|---|---|
200 | Existing routing is healthy — idempotent fast path. Device reconnects with current credentials. |
201 | Routing was refreshed (shard rotation). X.509 credentials are unchanged; rotate via Step 4 if needed. |
202 | Admin approval required — retry after the indicated interval (see below). |
403 | The enrollment group's re-enrollment policy denied the request. |
409 | Re-enroll not supported for the routing target type. |
503 | Provider unavailable — retry with backoff. |
Rate-limited per device.
Admin-gated approval
An enrollment group can be configured to require an admin decision on every re-enrollment. When that gate is active, the device's /reenroll or /.well-known/est/simplereenroll call returns 202 Accepted with a Retry-After header instead of issuing credentials. The device keeps retrying on that cadence until an admin makes a decision:
- Admin reads the parked request:
GET /api/devices/{deviceRecordId}/pending-reenrollment. - Admin approves or rejects:
POST /api/devices/{deviceRecordId}/pending-reenrollment/approve— next device retry mints the cert.POST /api/devices/{deviceRecordId}/pending-reenrollment/reject— next device retry returns403until the parked request expires (group-configured TTL).
Use this for fleets where every re-enrollment must trace back to a human decision.
Factory reset / operational-cert loss
Tier 3 devices retain the birth certificate for the device's lifetime. When the operational cert is lost (factory reset, secure-element wipe, key-store corruption), the device falls back to birth-cert mTLS and re-runs Step 2 (POST /.well-known/est/simpleenroll) with a fresh CSR. No admin action is required unless the enrollment group requires approval, in which case the same 202 Accepted / pending-reenrollment flow applies.
This is the only documented recovery path. If the birth-cert chain itself becomes invalid (manufacturer Root rotated, attestation revoked), the device must be re-introduced via the trust-anchor admin API and is out of scope for the device-firmware contract.
Revoke a device
Two operations, both admin-only (JWT). Run them together for a full revoke:
| Endpoint | Effect |
|---|---|
DELETE /api/devices/{deviceId} | Soft-deletes the onboarding device record. Subsequent simpleenroll / simplereenroll / reenroll calls fail. |
POST /api/devices/{deviceId}/delete-provider-client | Tells the provider to evict the MQTT user + ACL rules. Returns 202 Accepted once queued. The broker rejects subsequent mTLS sessions. |
Order matters only for which call returns last; both are idempotent. The birth certificate is not revoked by these endpoints — revoking the birth cert is a manufacturer-PKI concern, not a platform one.
Disable / re-enable
Soft-delete is the disable mechanism. Restore brings the device back:
| Endpoint | Effect |
|---|---|
DELETE /api/devices/{deviceId} | Soft-delete (same as revoke). Device cannot enrol, renew, or re-enrol. |
POST /api/devices/{deviceId}/restore | Undoes the soft-delete. The current operational cert (if still valid) works again; if expired, the device falls back to birth-cert mTLS + simpleenroll automatically. |
POST /api/devices/bulk-delete / bulk-restore | Batch variants (NDJSON body). |
Security Considerations
- Private keys never leave the device — All keypairs are generated on-chip. Neither the birth key nor the operational key is ever exported. This is the strongest key protection model.
- Two independent PKI chains — The manufacturer PKI proves hardware authenticity; the Glaze PKI authorizes platform access. Compromise of one chain does not compromise the other.
- Birth cert retained — The birth certificate is kept for factory reset scenarios. If the operational certificate is lost or corrupted, the device can re-enroll using its birth certificate.
- EST trusts both CAs — The EST server validates manufacturer certificates for initial enrollment and Glaze certificates for re-enrollment. The Mosquitto broker trusts only Glaze.
- Hardware requirement — Requires a secure element, TPM, or equivalent capable of on-chip key generation and CSR creation. This increases device cost but provides the highest security guarantee.
Next Steps
- Consumer Tier 2 — OTP — Simpler flow without manufacturer PKI
- Consumer Tier 1 — Shared Key — Simplest flow for cost-sensitive devices
- B2B Tier 3 — Birth Certificate — Same attestation tier without a customer app
- Certificate Onboarding Overview — Decision matrix and key concepts
- Shared-Secret Onboarding — Simpler username/password alternative