Manually create a Public Key Infrastructure tree (PKI tree)

To sign an image, you must first generate a Public Key Infrastructure (PKI).

Digi Embedded Yocto automatically generates one if not provided. This topic explains how to manually generate a PKI tree for the ConnectCore MP15.

Generate a Public Key Infrastructure (PKI) tree

Install an SDK to have access to the signing tools. See Install a pre-compiled toolchain for instructions.
Create a folder to hold the keys and export variable CONFIG_SIGN_KEYS_PATH with its path, for instance:
```
$ export CONFIG_SIGN_KEYS_PATH="/home/username/my-pki"
$ cd ${CONFIG_SIGN_KEYS_PATH}
```
Generate the PKI tree with:
```
$ trustfence-sign-artifact.sh -p ccmp15
```
This generates a subdirectory keys/ with:
- fit/fitcfg.crt: public key for FIT configuration nodes
- fit/fitcfg.key: private key for FIT configuration nodes
- fit/fitimg.crt: public key for FIT image nodes
- fit/fitimg.key: private key for FIT image nodes
- keys/key_pass.txt: the randomly generated password in plain text
- keys/privateKey.pem: the private key
- keys/publicKey.pem: the public key
- keys/publicKeyhash.bin: hash of the ECC public key
Add this line to your conf/local.conf file to use the generated keys:
```
TRUSTFENCE_SIGN_KEYS_PATH = "/home/username/my-pki"
```