Skip to content

Activating AMT with E2E TLS and RPS

Jump to bottom
Mike edited this page Apr 23, 2026 · 3 revisions 
flowchart TD
    Start([AMT Provisioning]) --> ModeCheck{Device Mode?}

    %% ============================================================
    %% PATH 1: Already Activated (ACM/CCM)
    %% ============================================================
    ModeCheck -->|Activated - ACM / CCM| TLSConfigured{TLS already<br>configured?}

    %% TLS not configured
    TLSConfigured -->|No| GenCert[RPS generates cert<br>from MPS root and<br>adds it to AMT]
    GenCert --> Done1[Connect on port 16993<br>RPS: amt_post_tls_reject = true]

    %% TLS already configured
    TLSConfigured -->|Yes| GetCerts[Get AMT_PublicKeyCertificate<br>and AMT_TLSCredentialsContext]
    GetCerts --> IdentifyCert[Identify cert AMT<br>is currently using]
    IdentifyCert --> SignedByMPS{Cert signed by<br>MPS Root?}

    SignedByMPS -->|Yes| Reuse[Switch to port 16993<br>and reconfigure]
    Reuse --> Done2[RPS: amt_post_tls_reject = true<br>MPS root cert is trusted]

    SignedByMPS -->|No| RegenCert[RPS generates new cert<br>from MPS root and<br>configures it in AMT]
    RegenCert --> Done3[Connect on port 16993<br>RPS: amt_post_tls_reject = true]

    %% ============================================================
    %% PATH 2: Pre-Provisioning
    %% ============================================================
    ModeCheck -->|Not Activated| PreProv{AMT Version?}

    %% AMT 19+
    PreProv -->|19+| ODCA[ODCA cert present<br>and validatable]
    ODCA --> Act19[Activates to CCM<br>over e2e TLS on port 16993<br>RPS: amt_pre_tls_reject = true]
    Act19 -->|Post-Activation| Self19[AMT generates its own<br>self-signed cert]
    Self19 --> DMT19[RPS adds DMT self-signed cert<br>to AMT]
    DMT19 --> RPS19[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    %% AMT 18 and below
    PreProv -->|18 and below| TLSCheck{--tls-tunnel<br>flag set?}

    TLSCheck -->|Yes| NoODCA[No ODCA cert available]
    NoODCA --> Act18TLS[Activates to CCM<br>over non-TLS port 16992]
    Act18TLS -->|Post-Activation| VersionCheck2{AMT Version?}

    VersionCheck2 -->|16 - 18| Self16[AMT generates its own<br>self-signed cert]
    Self16 --> DMT16[RPS adds DMT self-signed cert<br>to AMT]
    DMT16 --> RPS16[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    VersionCheck2 -->|15 and below| DMT[RPS generates DMT<br>self-signed cert and<br>adds it to AMT]
    DMT --> RPS15[RPS: amt_post_tls_reject = true<br>RPS owns the DMT root cert]

    TLSCheck -->|No| Act18Plain[Activates to CCM<br>over non-TLS port 16992]
    Act18Plain -->|Post-Activation| NoTLS[No certs used or added<br>remains on port 16992]
    NoTLS --> RPS18Plain[Both RPS TLS configs<br>not applicable]

    %% Styling
    classDef version19 fill:#2563eb,stroke:#1e40af,color:#fff
    classDef version18tls fill:#7c3aed,stroke:#5b21b6,color:#fff
    classDef version15 fill:#0891b2,stroke:#0e7490,color:#fff
    classDef version18plain fill:#64748b,stroke:#475569,color:#fff
    classDef decision fill:#f59e0b,stroke:#d97706,color:#000
    classDef rps fill:#dc2626,stroke:#b91c1c,color:#fff
    classDef rpsok fill:#16a34a,stroke:#15803d,color:#fff
    classDef acm fill:#0d9488,stroke:#0f766e,color:#fff
    classDef query fill:#6366f1,stroke:#4f46e5,color:#fff

    class ODCA,Self19 version19
    class Act19 rpsok
    class NoODCA,Act18TLS,Self16 version18tls
    class DMT,DMT16,DMT19 version15
    class Act18Plain,NoTLS version18plain
    class ModeCheck,TLSConfigured,SignedByMPS,PreProv,TLSCheck,VersionCheck2 decision
    class RPS18Plain rps
    class RPS15,RPS19,RPS16,Done1,Done2,Done3 rpsok
    class GenCert,RegenCert acm
    class GetCerts,IdentifyCert query
    class Reuse query
Loading

Clone this wiki locally