How to establish Chain of Trust in IoT Devices

Broadly, VESPA powered IoT Device must run the following procedures -

  1. Authentication
  2. Device Allocation
  3. Device Capability Exchange

at the end of these calls, Server issues following objects to every device
a) unique Device Key
b) unique Device certificate to be used in the subsequent communications
c) MQTT Topic to send data
d) MQTT server CA-certificate to validate the server

VESPA is bundled with CA-Cert that is used to validate the authenticity of the HTTPS/REST server.

First step for any IoT Device is to run authentication call. Device sends credentials securely over HTTPS call. While the TLS connection is established, the certificate presented by REST Server is validated with the pre-bundled CA-Cert. Only upon successful validation, the credentials are presented.
VESPa follows thru the calls to download the Objects mentioned above.

Now on, MQTT Connection is established over TLS, with mutual authentication. ie, server validates the device and vice versa.