Docs Quickstart

Quickstart Guide

Issue your first device certificate in under 15 minutes. This guide walks through account setup, CA hierarchy configuration, and your first certificate provisioning via the REST API.

15 min Prerequisites: API key, Linux/macOS terminal, curl
01

Get Your API Key

After your pilot is activated, your API key will be sent to your registered email. API keys follow the format:

erls_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Store your API key as an environment variable. Never commit API keys to version control:

export ERLYSIGN_API_KEY="erls_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Sandbox keys (prefix erls_test_) are also available for integration testing. Sandbox certificates are not valid for production devices.
02

Create a CA Hierarchy

A CA hierarchy defines your root and intermediate certificate authorities. For most IoT deployments, a two-tier hierarchy (root CA + issuing CA) is the right starting point.

Create your first issuing CA via the REST API:

curl -X POST https://api.geterlysign.com/v1/ca \
  -H "Authorization: Bearer $ERLYSIGN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My Product Issuing CA",
    "key_algorithm": "EC_P256",
    "validity_years": 10,
    "subject": {
      "common_name": "MyProduct IoT Issuing CA",
      "organization": "Acme Corp",
      "country": "IN"
    }
  }'

The API returns a CA ID that you'll use for certificate issuance:

{
  "ca_id": "ca_01HXYZ...",
  "status": "active",
  "fingerprint": "SHA256:AA:BB:CC:...",
  "certificate_pem": "-----BEGIN CERTIFICATE-----\n..."
}
03

Issue Your First Device Certificate

Issue a device certificate by providing the device's unique serial number and a Certificate Signing Request (CSR). The private key should be generated on the device — never transmitted.

curl -X POST https://api.geterlysign.com/v1/certificates \
  -H "Authorization: Bearer $ERLYSIGN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ca_id": "ca_01HXYZ...",
    "device_id": "DEV-SN-20240001",
    "csr_pem": "-----BEGIN CERTIFICATE REQUEST-----\n...",
    "validity_days": 365,
    "metadata": {
      "product_sku": "MODEL-A1",
      "manufacturing_batch": "2026-Q1-L01"
    }
  }'

ErlySign returns the signed device certificate in PEM format, typically within 50ms:

{
  "cert_id": "cert_01HABC...",
  "device_id": "DEV-SN-20240001",
  "certificate_pem": "-----BEGIN CERTIFICATE-----\n...",
  "not_before": "2026-01-23T00:00:00Z",
  "not_after": "2027-01-23T00:00:00Z",
  "serial_hex": "01:AB:CD:EF:..."
}
04

Verify the Certificate

Verify your issued certificate against the CA chain using OpenSSL:

openssl verify -CAfile ca-chain.pem device-cert.pem
# Expected: device-cert.pem: OK

Check the OCSP status of a certificate:

openssl ocsp \
  -issuer issuing-ca.pem \
  -cert device-cert.pem \
  -url https://ocsp.geterlysign.com \
  -text
05

Integrate the Embedded C SDK

The ErlySign embedded C SDK (under 50KB compiled) handles certificate provisioning directly from your device firmware. It requires mbedTLS or a compatible TLS stack.

#include "erlysign.h"

erls_config_t cfg = {
    .api_key     = "erls_live_xxx...",
    .ca_id       = "ca_01HXYZ...",
    .device_id   = get_device_serial(),
    .tls_ca_cert = ERLYSIGN_ROOT_CA_PEM,
};

erls_init(&cfg);

/* Generate key + CSR on device, get cert back */
erls_result_t result;
int rc = erls_provision_device(&cfg, &result);
if (rc == ERLS_OK) {
    store_certificate(result.cert_pem, result.cert_len);
}

The SDK is available on GitHub under MIT license. Clone and add to your build system:

git clone https://github.com/geterlysign/erlysign-c-sdk
# Add sdk/src/*.c and sdk/include/ to your build
Your device can now generate its own key pair, request a signed certificate, and verify its identity via mTLS — without any credentials stored in flash at manufacture.

Next Steps

Configure automated renewal Add TPM attestation Set up firmware signing Browse all docs