Trusted PKI for Connected Vehicles and Devices
Sibros’ Certificate Authority (CA) delivers secure, scalable, and resilient digital trust for every vehicle, device, and cloud service. Simple to adopt. Built on modern cryptography. Ready for global fleets.
Provisioning Flow
Device → Provisioner → Sibros PKI → Certificate Issued
Why PKI Matters for Mobility
Strong Identity
Verify authentic devices and vehicles across fleets and partners.
Secure OTA
Validate software and firmware with signature‑backed trust.
Protected Telemetry
End‑to‑end encryption for vehicle ↔ cloud communications.
Compliance Ready
Aligned with ISO 21434 and UNECE WP.29 expectations.
Sibros CA Architecture at a Glance
Global and Segregated
Three independent PKIs in the US, EU, and APAC. Isolated cloud accounts with whitelisted network access. Mutual TLS over HTTPS only.
Keys You Can Trust
Offline Root CA. Intermediates protected by Cloud KMS. Signing runs in an isolated enclave accessible only to provisioners.
Secure Issuance
Provisioner (Pandora) authenticates via mTLS. PKI issues a single‑use token per unique CN, signs the CSR, and returns the full chain.
Operational Guardrails
Validity never exceeds its issuing intermediate. Revocation and rotation supported at any time if compromise is suspected.
PKI in the Data Plane: MQTT(s) and HTTPS
Sibros provides and manages a certificate management system that issues certificates, usage policies, and configurations for use with an MQTT broker. Devices use MQTT(s) with mutual TLS to publish/subscribe securely. HTTPS is used for downloading binaries (firmware images), ensuring integrity and confidentiality end‑to‑end.
MQTT(s) Trust
- Per‑device client certificates for broker authN/authZ
- Policy‑based topic access and session handling
- Operational logging for certificate use and anomalies
Firmware over HTTPS
- TLS 1.2/1.3 for binary downloads
- Digest checks + signature verification at the vehicle
- Separation of telemetry (MQTT) and content delivery (HTTPS)
Optional In‑Vehicle PKI
For securing in‑vehicle communications between Sibros components, Sibros can optionally provide certificates and manage associated keys in partnership with customer‑provided hardware and software capabilities. This is particularly useful when a vehicle hosts multiple high‑performance compute units with networks of varying trust. This configuration is available on request.
Key Custody
Keys stored and used with customer HSM/TEE where available; Sibros integrates with your in‑vehicle security architecture.
Component mTLS
Certificates enable authenticated, encrypted comms among Sibros components over potentially insecure in‑vehicle networks.
Policy Control
Usage policies and certificate lifecycles aligned to your partitioning, domains, and safety/security goals.
OTA Key Management (SOTA/FOTA)
Keys for Software‑Over‑The‑Air (SOTA) and Firmware‑Over‑The‑Air (FOTA) are handled securely across the vehicle, cloud, and CI/EOL systems as applicable. Multiple private–public key pairs are used: vehicles verify manifest authenticity and integrity and validate the authenticity and validity of update instructions. Ownership aligns with your program’s Uptane key‑ownership model.
| Key Set (example) | Held By | Purpose |
|---|---|---|
| Transport (MQTT client cert) | Device/Vehicle | mTLS to broker, authenticated telemetry and commands |
| Firmware/Image Signature | CI/Release (OEM/Supplier) | Sign binaries; vehicle verifies before apply |
| Manifest/Instruction Signature | Cloud/Release Service | Sign manifests; vehicle validates authenticity and validity |
| In‑Vehicle Component mTLS | Vehicle (with HSM/TEE) | Secure component‑to‑component communication |
Details of keys and certificates can vary by program; an example configuration is available as a slide deck on request.
Built on Industry Standards
Cryptography
- ECC Curves: secp256r1 (recommended), secp384r1, secp521r1
- ECDSA Signatures: SHA‑256 / SHA‑384 / SHA‑512
Identity Model
- Subject CN: UUIDv4
- OU: Company ID (tenant identifier)
- SAN: Optional
Usage and Validation
- Key Usage: Digital Signature (+ Key Agreement optional)
- Extended Key Usage: Client Authentication
- OCSP: ocsp.sibros.tech
- CRL: CRL Distribution
Policies
- Policy OID: 1.3.6.1.4.1.61181.1.1
- CPS: /repository
Technical specs and sample certificates
PEM‑Encoded Certificate (example)
-----BEGIN CERTIFICATE-----
MIIE6TCCBG+gAwIBAgIQP72wyS4BNLOqjHy4E8Ym7zAKBggqhkjOPQQDAzCBnzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEhMB8G
A1UEChMYU2licm9zIFRlY2hub2xvZ2llcyBJbmMuMREwDwYDVQQLEwhTZWN1cml0
...
ElN/8s2mbz1ZT8+XYg==
-----END CERTIFICATE-----
Decoded Example (illustrative)
Signature Algorithm: ecdsa-with-SHA384
Issuer: Sibros Technologies Inc. Intermediate Device CA 1
Validity: 2024-04-25 to 2043-01-18
Subject: ... CN=da8f1cc7-8833-46f9-9750-9c1e62856bd4
Key Usage: Digital Signature; EKU: Client Auth
OCSP: http://ocsp.dev-sibros.tech
CRL : http://pki.security.dev-sibros.tech/crls/issuingcacomponent.crl
(Dev endpoints shown for example only.)
Key Integrations
CA and Validation
Root/Intermediate CA, CRL, OCSP with real‑time status checks.
Device and Vehicle Platforms
AWS IoT Core, EMQX, and telematics ecosystems.
Identity and Access
OAuth 2.0 / OIDC, JWTs, SOVD for secure authZ/authN.
Key Management
HSM integration; Cloud KMS (AWS, GCP) for key custody.
Data Security
TLS 1.2/1.3, MQTT over TLS, HTTPS, AES / RSA / ECC libraries.
OTA Updates
Signature‑based validation for firmware and software packages.
Monitoring
Operational logging with dashboards (Prometheus/Grafana).
Onboarding
Zero‑touch enrollment for devices and vehicles using PKI.
Why Sibros PKI
End‑to‑End Security
From secure onboarding to encrypted communications and trusted OTA.
Proven at Scale
Horizontally scalable architecture for global fleets.
Automotive‑Grade
Practices aligned with ISO 21434 and UNECE WP.29.
Easy to Adopt
Drop‑in integrations for IoT, IAM, OTA, and telemetry pipelines.
FAQ
How do you protect your Certificate Authority?
Isolated cloud accounts, offline Root CA, KMS‑secured intermediates, strict IAM, and Mutual TLS‑only access to the internal CA service.
How are certificates used with MQTT and HTTPS?
Devices authenticate to MQTT brokers with mTLS using per‑device certs; firmware binaries are delivered over HTTPS with TLS 1.2/1.3 and verified by the vehicle.
Can certificates be revoked or rotated?
Yes. Real‑time status via OCSP and CRLs. Rotation supported through CSR re‑issuance when compromise is suspected.
Do you support in‑vehicle PKI?
Yes—optionally, with keys managed alongside customer HSM/TEE for secure component‑to‑component comms in multi‑HPC architectures.
Is this audited and scalable for millions of vehicles?
Security audits cover PKI controls. The system scales horizontally and supports 60,000+ KMS crypto ops per minute.
Secure Every Vehicle with Sibros PKI
From identity to OTA, Sibros PKI gives OEMs the foundation for trusted, compliant connected mobility. Let’s tailor it to your program.
