PKI & CA strategy
Device identity is built on your own private certificate authority. You are not pushed onto an expensive managed cloud PKI service to get a real trust hierarchy — running your own CA is the default, not an upgrade.
Why this matters
Some platforms attach device identity to a managed cloud private-CA service that bills a substantial monthly fee per certificate authority, before a single device connects, plus a charge per certificate. That cost buys you a private CA — but you can have a private CA without the tax. Meshanics runs the CA itself, so a real private trust hierarchy costs you nothing extra and works the same whether you are online or fully air-gapped.
What is true today
- A built-in certificate authority signs a per-device X.509 certificate for every device. No external paid CA service is required, ever.
- The device key never leaves the device. It is generated locally; the platform signs the public half only.
- Identity is in the certificate. A device's name and fleet are encoded in its certificate and read from the verified mutual-TLS handshake — never from a request body.
- Token-based enrollment onboards a device in one command, with short-lived, revocable tokens.
- Air-gap from day one. Issuance runs on a single node with no cloud dependency.
Options for teams that want them
For organizations with their own requirements, the platform supports — or is extending toward — bringing your own CA (register your own root, with the private key never leaving your control), certificate rotation without downtime, batch provisioning for manufactured fleets, and an optional cloud-IoT bridge for teams already invested in AWS IoT — without the managed private-CA fee. These are opt-in; the zero-setup default above needs none of them.
See it for yourself
The Trust Center shows the certificate authority that signs device identities today — subject, fingerprint, validity and chain — read live from the running system.