Generate the device's private key inside the HSM at manufacture time so it never leaves the secure element; request a Certificate Signing Request (CSR) from the HSM.
Submit the CSR to your PKI (internal CA or AWS IoT's CreateCertificateFromCsr API) to obtain a signed X.509 certificate, then store the certificate (not the key) in the device's file system.
Configure the TLS client (e.g., mbedTLS, OpenSSL via PKCS#11 engine) to use the PKCS#11 interface for the private key operation so TLS handshakes use the HSM without exposing the key.
Register the device certificate and optionally its CA with AWS IoT Core or Azure IoT Hub; attach a least-privilege policy scoped to the device's thing name.
At runtime, the mutual TLS handshake proves device identity without the private key ever leaving the HSM; the cloud validates the certificate chain against the registered CA.
Implement certificate rotation: generate a new key pair and CSR in the HSM, get a new certificate from the CA, register it, then deactivate the old certificate only after confirming the new one works.
Known gotchas
PKCS#11 slot and PIN configuration must be handled at build time or via a secrets manager; never embed the HSM PIN in plain text in firmware or config files.
Some HSMs enforce a limit on the number of stored key objects; plan key lifecycle and deletion procedures to avoid hitting the limit.
Certificate chain validation requires the full intermediate CA chain to be available to the cloud endpoint; omitting intermediates causes TLS handshake failures even with a valid leaf certificate.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp