IoT Device Lifecycle: ESP32 + BLE Provisioning + ThingsBoard Auto-Provisioning

By /

This post outlines the full lifecycle of an IoT device, from factory assembly to end-user operation, and ownership transfer. Devices are based on ESP32, use BLE for Wi-Fi provisioning, and connect securely to ThingsBoard via X.509 client certificates. Our system supports auto-provisioning, and manages device identity through CN = SN.

Overview

  • Each device is uniquely identified by a Serial Number (SN), embedded in the certificate as Common Name (CN).
  • Devices are provisioned via BLE using a mobile app.
  • Secure connection to ThingsBoard over MQTTS (port 8883) using X.509.
  • Auto-provisioning allows ThingsBoard to register devices dynamically.
  • Device credentials (key/cert/CA) are stored in SPIFFS.
  • Lifecycle supports OTA, reset, and ownership transfer.

Factory Production Stages (Shopfloor Stations)

StationPurposeTasks
1. AssemblyHardware integrationMount ESP32, sensors, power, antenna
2. FlashingInstall base firmwareBootloader + BLE provisioning + MQTTS
3. Identity InjectionUnique identity assignmentGenerate SN → CN, create key & cert, flash to SPIFFS
4. Factory TestValidate hardwareConnect test Wi-Fi, verify BLE + telemetry
5. Label & PackagingFinal prepPrint SN/QR, pack for shipment

Note: Devices are not pre-registered in ThingsBoard, auto-provisioning is triggered by the device’s first TLS connection.

Certificate Generation (Example)

# SN = SN-000001
openssl genpkey -algorithm RSA -out SN-000001.key
openssl req -new -key SN-000001.key -subj "/CN=SN-000001" -out SN-000001.csr
openssl x509 -req -in SN-000001.csr -CA inter.crt -CAkey inter.key -CAcreateserial -out SN-000001.crt -days 1095 -sha256

Flash to SPIFFS:

  • device.key
  • device.crt
  • root_ca.crt

BLE-Based Customer Provisioning

  1. Power on device → BLE beacon (e.g., ESP-PROV-XXXX)
  2. Mobile app connects and sends Wi-Fi credentials
  3. Device joins Wi-Fi and connects to MQTT broker via TLS
  4. Sends device.crt (CN = SN)
  5. ThingsBoard auto-provisions the device if CN is new
  6. Device begins streaming telemetry

No QR codes, tokens, or pre-registration, true zero-touch onboarding.

Operation Phase

  • Periodic telemetry (e.g., 1 message/sec)
  • Listens for RPC and config updates
  • Supports OTA firmware or cert updates
  • Monitors connectivity and certificate validity (e.g., 1095 days)

Ownership Reset & Reuse

Case A: Same User Provisions Again

  • Perform factory reset (clears Wi-Fi and runtime state)
  • Reuse same cert (CN = SN)
  • Device connects to same ThingsBoard record
  • Telemetry/history is preserved

Case B: Different User Provisions

  • Perform factory reset
  • Mobile app detects user ID ≠ current owner
  • Backend must:
    Reassign device to new user/tenant
    Or delete device to allow auto-reprovisioning
  • Optional cleanup: clear telemetry, attributes, alarms

SN should not change, it’s printed on the label. Ownership logic is handled in the cloud, not the device.

Did this guide save you time?

Support this site

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top