Skip to content
/ lfs-cert-provisioner Public

Python script that follows the Golioth docs flow for creating certs and then installs using smpmgr onto lfs

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

goliothlabs/lfs-cert-provisioner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
provision_devices.py
provision_devices.py
 
 

Repository files navigation

lfs-cert-provisioner

This repository contains a Python script to automate provisioning of devices with certificates and keys. It handles generating device keys, CSRs, and certificates using OpenSSL, exporting to DER format, and uploading them to the device via smpmgr.

Features

  • Root CA check and generation

    • If ca.key.pem and ca.crt.pem are not found in the working directory, the script prompts to generate a Root CA.
    • Default Root CA validity is 365 days, but you can specify a different duration.
    • Prints the Root CA expiration date.

  • Device provisioning

    • Generates EC private key (prime256v1).
    • Creates a CSR with subject /O=<PROJECT_SLUG>/CN=<CERT_ID>.
    • Signs with the Root CA to issue a certificate.
    • Exports key and certificate to DER format.
    • Uploads key and certificate to the device with smpmgr.

  • File organization

    • Files are written under ./provisioned/<CERT_ID>/.
    • Filenames include both device ID and expiration date: 
      DEVICE123_2026-09-04.key.pem
DEVICE123_2026-09-04.csr.pem
DEVICE123_2026-09-04.crt.pem
DEVICE123_2026-09-04.key.der
DEVICE123_2026-09-04.crt.der

  • Clean exit mode

    • If run with only --project-slug, the script will check/generate the Root CA, then exit cleanly and display example commands for provisioning.

Requirements

  • Python 3.7+
  • OpenSSL (openssl on PATH)
  • smpmgr tool on PATH
  • Working directory must contain ca.key.pem and ca.crt.pem (unless you generate them via the script).

Usage

Initialize Root CA

python3 provision_devices.py --project-slug myproject

If no CA exists, the script will prompt you to generate one.

Provision a Single Device

python3 provision_devices.py   --project-slug myproject   --cert-id DEVICE123   --serial-port /dev/ttyACM0

Provision Multiple Devices (Batch Mode)

Create a CSV file devices.csv with the following headers:

cert_id,serial_port
DEV001,/dev/ttyACM0
DEV002,/dev/ttyACM1

Then run:

python3 provision_devices.py --project-slug myproject --csv devices.csv

Options

  • --days <N>: Certificate validity in days (default: 365).
  • --mtu <N>: Set MTU for smpmgr (default: 128).
  • --outdir <path>: Base output directory (default: ./provisioned).
  • --dry-run: Print commands without executing them.

Notes

  • Device upload paths are fixed as:
    • /lfs1/credentials/key.der
    • /lfs1/credentials/crt.der
  • Adjust these paths in the script if your firmware expects different locations.
  • The script is idempotent about device keys: if a key already exists, it will not be regenerated.

About

Python script that follows the Golioth docs flow for creating certs and then installs using smpmgr onto lfs

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages