This post outlines the full lifecycle of an IoT device, from factory assembly to end-user operation, and ownership transfer. Devices are based on ESP32, use BLE for Wi-Fi provisioning, and connect securely to ThingsBoard via X.509 client certificates. Our system supports auto-provisioning, and manages device identity through CN = SN.
Overview
- Each device is uniquely identified by a Serial Number (SN), embedded in the certificate as Common Name (CN).
- Devices are provisioned via BLE using a mobile app.
- Secure connection to ThingsBoard over MQTTS (port 8883) using X.509.
- Auto-provisioning allows ThingsBoard to register devices dynamically.
- Device credentials (key/cert/CA) are stored in SPIFFS.
- Lifecycle supports OTA, reset, and ownership transfer.
Factory Production Stages (Shopfloor Stations)
| Station | Purpose | Tasks |
|---|---|---|
| 1. Assembly | Hardware integration | Mount ESP32, sensors, power, antenna |
| 2. Flashing | Install base firmware | Bootloader + BLE provisioning + MQTTS |
| 3. Identity Injection | Unique identity assignment | Generate SN → CN, create key & cert, flash to SPIFFS |
| 4. Factory Test | Validate hardware | Connect test Wi-Fi, verify BLE + telemetry |
| 5. Label & Packaging | Final prep | Print SN/QR, pack for shipment |
Note: Devices are not pre-registered in ThingsBoard, auto-provisioning is triggered by the device’s first TLS connection.
Certificate Generation (Example)
# SN = SN-000001
openssl genpkey -algorithm RSA -out SN-000001.key
openssl req -new -key SN-000001.key -subj "/CN=SN-000001" -out SN-000001.csr
openssl x509 -req -in SN-000001.csr -CA inter.crt -CAkey inter.key -CAcreateserial -out SN-000001.crt -days 1095 -sha256
Flash to SPIFFS:
device.keydevice.crtserver_chain.pem(root + intermediate)
BLE-Based Customer Provisioning
- Power on device → BLE beacon (e.g.,
ESP-PROV-XXXX) - Mobile app connects and sends Wi-Fi credentials
- Device joins Wi-Fi and connects to MQTT broker via TLS
- Sends
device.crt(CN = SN) - ThingsBoard auto-provisions the device if CN is new
- Device begins streaming telemetry
No QR codes, tokens, or pre-registration, true zero-touch onboarding.
Operation Phase
- Periodic telemetry (e.g., 1 message/sec)
- Listens for RPC and config updates
- Supports OTA firmware or cert updates
- Monitors connectivity and certificate validity (e.g., 1095 days)
Ownership Reset & Reuse
Case A: Same User Provisions Again
- Perform factory reset (clears Wi-Fi and runtime state)
- Reuse same cert (CN = SN)
- Device connects to same ThingsBoard record
- Telemetry/history is preserved
Case B: Different User Provisions
- Perform factory reset
- Mobile app detects user ID ≠ current owner
- Backend must:
Reassign device to new user/tenant
Or delete device to allow auto-reprovisioning - Optional cleanup: clear telemetry, attributes, alarms
SN should not change, it’s printed on the label. Ownership logic is handled in the cloud, not the device.