Manufacturing
Provision devices during factory or programming-line workflows with repeatable jobs, controlled key boundaries, and retained batch records.
Secure provisioning for connected devices
Start CRA-ready device trust at provisioning
Secure provisioning is where an OEM turns a manufactured device into a trusted connected product: hardware-rooted identity, per-device credentials, certificate issuance, onboarding target, key boundary, and the first lifecycle evidence record.
Provisioning may happen in a factory, at first boot, or during first connection, but the OEM still needs one trusted record of how identity, credentials, certificates, and onboarding were created.
Where OEMs and partners provision trust
Whether provisioning happens in-house, through a contract manufacturer, at first boot, or through a module-led workflow, the OEM still needs a repeatable record of how device trust was created.
First boot
Create or activate identity when the device first runs, then bind credentials and policy to the intended product family.
First connection / cloud onboarding
Register the device with AWS, Azure, MQTT, private services, or customer infrastructure using certificate-backed mutual authentication.
The provisioning record the lifecycle depends on
Generate keyIssue identityRegister certificateOnboard targetRecord first connectionStart lifecycle record
A secure provisioning workflow should turn key generation, identity creation, certificate issuance, onboarding, and first connection into a record that later certificate renewal, secure updates, revocation, quarantine, and evidence workflows can use.
Provisioning decisions and evidence to retain
| Step | Decision | Evidence to retain | QuarkLink support |
|---|---|---|---|
| 1. Establish the key boundary | Decide whether keys live in device storage, secure element, SRAM PUF, HSM-backed process, or another approved trust boundary. | Key-generation method, trust anchor, target hardware, policy owner. | QuarkLink Device SDK and provisioning workflow connect hardware-rooted identity to the lifecycle record. |
| 2. Issue per-device identity | Generate or register a unique device identity and bind it to the intended product, batch, or device family. | Device identity, certificate request, issued certificate, device group. | QuarkLink Cloud records identity, certificate issuance, and intended onboarding target. |
| 3. Automate provisioning | Run the workflow in manufacturing, first boot, CI automation, or a controlled first-connection process. | Batch record, operator or job ID, timestamp, result, retry or failure state. | CLI / API automation reduces manual handling of secrets and creates repeatable records. |
| 4. Onboard to services | Connect devices to AWS IoT Core, Azure IoT Hub, MQTT broker, private services, or customer infrastructure using mutual authentication. | Onboarding target, certificate chain, broker or cloud registration, first connection. | QuarkLink links provisioning to cloud or broker onboarding and later lifecycle state. |
| 5. Start lifecycle evidence | Treat provisioning as the first device-trust lifecycle record, not a one-time setup task. | Identity, certificate, policy, onboarding target, and lifecycle state history. | QuarkLink keeps provisioning connected to renewal, secure update workflows, revocation, quarantine, and decommissioning. |
First trusted connection record
See how QuarkLink connects key generation, device identity, certificate issuance, onboarding target, first connection, and lifecycle state in the first device-trust record.
Provisioning job record
First trusted connection
Provisioning sequence
- 09:14
Key generated
Device-generated key created - 09:15
Identity created
Bound to product family and batch - 09:16
Certificate issued
Certificate linked to onboarding target - 09:17
Target registered
Certificate-backed authentication - 09:19
First connection received
Device authenticated - 09:19
Lifecycle record started
State set to active
Evidence record provisioning-record-dev-ctrl-004281.json
retained Representative QuarkLink app screen. Example data shown.
How QuarkLink connects manufacturing, device, and cloud teams
Device SDK
Handles device-side trust, hardware-root integration, key generation, secure provisioning, and communication with QuarkLink.
QuarkLink Cloud
Records identity, certificate issuance, onboarding target, first connection, policy, lifecycle state, and evidence.
CLI / API automation
Connects provisioning to manufacturing, CI/CD, batch workflows, customer systems, and deployment processes.
Provisioning starts the device-trust lifecycle. It does not replace secure update workflows, certificate renewal, revocation, vulnerability handling, incident response, SBOM, or full product risk assessment.
Start with a trusted first device
Use QuarkLink to connect device-side identity, secure provisioning, cloud onboarding, and lifecycle evidence before scaling the workflow across product families.