Device Identity — PKI for a Drone Fleet

Series: Building Infrastructure for an Autonomous Drone Fleet (1/4)

Part 1: Device Identity · Part 2: Telemetry · Part 3: Monitoring · Part 4: Battery Management

The Problem

A growing fleet of drones, pilot laptops, field terminals, and ground stations — each needing encrypted network access. Operators are non-technical. Traditional VPNs require per-device manual configuration. The question: how do you onboard a device in 30 seconds, in a field, with no IT support?

Choosing a Mesh VPN

Why mesh over hub-and-spoke: drones need to talk to each other, not just to a gateway. Certificate-based identity gives every device a signed cert with embedded metadata. The VPN runs on everything from a Jetson Nano to a MacBook.

The PKI Architecture

A dedicated service manages the full certificate lifecycle. Core entities: Organization → User → License → Device → Network Endpoint → Certificate. Keycloak for human authentication, API tokens for automation.

The One-Command Installer

A single shell command downloads a self-contained installer. It detects the OS and CPU architecture, registers the device with the PKI, receives a signed certificate bundle, and configures the VPN. From “bare device” to “on the network” in under a minute.

The Self-Service Frontend

A web UI where admins create devices, issue certificates, and manage licenses. Device overview with certificate status and expiry tracking. Designed for the ops team, not for developers.

What I’d Do Differently

• Starting with manual cert generation and later building the API — should have been API-first from Day 1
• Device re-provisioning edge cases (same device name, new hardware)
• Certificate rotation and revocation: planned but not yet needed at current fleet scale
• SSH key management as an afterthought — would bake it in from the start next time