ESP32 use encrypted private key for AWS IOT certificate

[mitipi]

Hello,

I'm trying to understand if it's possible to use ESP32 for a secured Just-in-time registration with AWS IOT without adding extra chip such as ATECC508A (see attached).

ATECC508A can generate random private key, and Microchip (the manufacturer) can use this key to generate provisional AWS device certs signed by own CA, then ship the chips to us. However, ESP32 already has secured boot & flash encryption, it said will generate random private signing key, however, this key is non-readable from the software. So questions are:
- is it possible to use this generated private signing key (in flash encryption) to generate an AWS certificate (signed by our own CA certs)?
- are there ways to generate provisional certificate with a hardware generated private key in ESP32?
- how would you then generate different private keys per device and securely store them?

Many thanks for the help.

[WiFive]

No you don't want to read or reuse the flash encryption keys. Once flash encryption and secure boot are on, flash storage will be secure. So in your secure manufacturing environment you want to use the aws CLI or your own CA cert to generate the keys and cert and flash them to the device in a flash partition with encryption flag as part of the programming process (before secure boot and encryption are activated).

[mitipi]

Many thanks @WiFive, this helped much to clarify my confusion.

So will we send our CA signing certificate to the manufacturer and they can create provisional device certs in their secured environment? In this case, if the CA Signing Certificate is compromised, can anyone then create a new device?

In the Just-in-time Registration on AWS IOT, they said "If you are a manufacturer, you have purchased CA certificates from vendors like Symantec or Verisign or you have your own CA". It is very expensive to buy CA from vendors, are there drawbacks to use our own CA?