Keyfactor Command for IoT
Overview
Keyfactor Command for IoT provides end-to-end IoT identity and device security, embedding certificate-based identities into devices from manufacturing through to end-of-life. The platform integrates with EJBCA Enterprise for certificate issuance and with major cloud IoT platforms including Azure IoT Hub, enabling organisations to establish strong device identity as part of their manufacturing process and manage device certificates throughout the operational lifecycle.
Unsung implements Command for IoT for UK customers in transport, critical infrastructure, defence, and manufacturing environments where connected devices require strong cryptographic identity for network authentication, secure communication, and firmware integrity verification.
The Challenge
Connected devices deployed across operational technology environments, transport networks, and industrial systems need unique, verifiable identities to authenticate securely and protect communications. Traditional approaches using shared secrets or static credentials are inadequate for the scale and security requirements of modern IoT deployments. Each device needs a unique certificate provisioned during manufacturing and managed throughout its operational life.
The challenge extends beyond initial provisioning. Device certificates expire and must be renewed, sometimes across fleets of thousands or millions of devices operating in remote or difficult-to-access locations. Compromised devices must be identified and their certificates revoked. The device identity infrastructure must integrate with the organisation’s existing PKI and cloud platforms to provide a coherent trust framework.
What It Does
Command for IoT addresses the full device identity lifecycle. Factory provisioning capabilities embed unique certificates into devices during manufacturing, establishing cryptographic identity from the point of production. The platform manages certificate renewal across deployed device fleets, handling the automation required to renew certificates on devices that may operate unattended in remote locations.
Integration with EJBCA Enterprise provides the CA infrastructure for certificate issuance, whilst integration with cloud IoT platforms such as Azure IoT Hub enables certificate-based device authentication within cloud-native IoT architectures. The platform provides visibility and management of device certificates across the fleet, enabling organisations to track certificate status, identify devices with expiring credentials, and respond to security events through certificate revocation.
How Unsung Helps
Unsung helps clients design and implement device identity architectures that integrate with their manufacturing processes, operational technology environments, and cloud platforms. Our experience with EJBCA and Command means we can deliver the complete stack from CA infrastructure through to device provisioning and lifecycle management. Our PKI Design & Build service covers end-to-end IoT identity architecture and implementation.
Related Unsung Services
PKI Design & Build — Design and implementation of IoT identity and device PKI architectures.
Certificate Lifecycle Management — Lifecycle management for large-scale device certificate estates.
PKI Consultancy — Advisory on IoT security architecture and device identity strategy.
