Skill Level: Intermediate

Security and base programming skills are preferred.

The NXP A71CH is a ready-to-use secure element for IoT devices providing a root of trust at the IC level and is designed to deliver, chip-to-cloud security to safely connect your devices to IBM Watson IoT, without writing security code or exposing keys.


In the testing and prototyping design phases this A71CH Customer Programmable secure element is used.
When a product is manufactured it will contain the A71CH secure element that NXP pre-provisioned with credentials for the IBM Watson IoT Platform.

In the following steps 1-5 the prototype is being build using the A71CH Customer Programmable.

In step 6 additional guidance is provided to apply the A71CH Ready for IBM Watson IoT in a real product.

This link provides a short overview movie how to create a prototype containing the A71CH 

The ingredients required for testing and prototyping are:

  • Register for a NXP account to access the A71CH product support package (PSP)
  • The A71CH Development board http://ibm.biz/NXPA71CHDK
  • i.MX MCU board based on the i.MX 6UL-EVK development and evaluation kit based on the i.MX 6UltraLite applications processor
  • Register for an IBM Account to use IBM Cloud with IBM Watson IoT




  1. Prepare your boards

    This recipe is a proof of concept and developers guideline for those who want to start to use the A71CH with Watson IoT.

    Follow the instructions in the NXP A71CH Product Support Package (PSP) to connect the boards and prepare and load the software.

    Use the Quick start guide under documentation with title: A71CH Quick start guide for OM3710A71CHARD and i.MX6 UltraLite.


    With reference to the community character of this recipe under the Developerworks Terms of Use, and terms about DISCLAIMER OF WARRANTY and LIMITATION OF LIABILITY in the respective terms of use of any referred party, neither IBM, NXP nor any other party can be held responsible for results of using this content.  

  2. A71CH credential preparation and injection

    To prepare and inject the credentials for the A71CH, ensure you have a working combination of MCIMX6UL-EVKB and A71CH boards.
    OpenSSL (openssl) is used to create the credentials.
    The A71CH Configure tool (a71chConfig_i2c_imx) is used to retrieve the UID from the A71CH and to inject key pair and client certificate.
    The unix command line utilities grep and awk are used to extract bytes forming the UID part of the client certificate’s Common Name.
    All these tools come pre-installed on the SD card image made available for the MCIMX6UL-EVKB board on the A71CH website (https://www.nxp.com/A71CH).

    The instructions explains how to create a CA, how to create device credentials and how to inject the device credentials into the A71CH. These provisioning steps needs to be done only for the current generic sample A71CH. It is planned to release a A71CH for WIoT with preloaded credentials.

    The detailed instructions are available in the github entry referred to in step 3.

  3. Prepare the software stack of your device and connect to WIoT

    The A71CH is the secure element in your device. You as a device vendor / device developer will use the secure eelment together with your device specific code. For this recipe we use the i.MX board as were it your device.

    Prepare the device software on the i.MX board using the instructions in the github entry related to this recipe:
    Watson IoT Platform C Client Library for NXP i.MX Platform with IC A71CH Secure Element


    In summary you find those steps in the github readme.md:

    • Prerequisites
    • Download C client library source
    • Build and install steps
    • Verify build by connecting to Quickstart
    • Connect A71CH to your own organization
  4. Verify build by connecting to Watson IoT Quickstart

    Both the IBM Cloud and Watson IoT platform make use of the concept: ORGANIZATION.

    An Organization on IBM Cloud and Watson IoT is an administrative grouping of resources and services. For fast use and fast access a generic organization is created in Watson IoT platform: QUICKSTART. This is an open public pool where devices can be quickly registered and tested. In all other cases you always register and use your own defined organization.

    Follow the steps in the github readme.md referred to in step 3.


  5. Connect A71CH to your own Watson IoT organization

    Follow the steps in the github readme.md.

    Use the following steps to register CA certificate, device type, and device ID with Watson IoT Platform, configure device and connect to Watson IoT Platform using your own Watson IoT organization.

    • Register Certificate Authority
    • Configure Connection Security Policy
    • Register Device Types and Devices
    • Configure device or gateway
    • Connect device or gateway

    Next you can add your applications and integrations with the backend e.g. try to integrate an app on the i.MX with a Node-Red application on IBM Cloud, using the Node-Red WIoT connector. Use the IBM Cloud Watson IoT Platform Starter boilerplate for a fast start.

  6. Use the A71CH Ready for IBM Watson IoT in your product

    In the testing and prototyping design phases this A71CH Customer Programmable secure element is used.
    When a product is manufactured it will contain the A71CH secure element that NXP pre-provisioned with credentials for the IBM Watson IoT Platform.
    The NXP A71CH Ready for IBM Watson IoT version comes pre-provisioned with the credentials needed, avoiding expensive Public Key Infrastructure at IoT product manufacturing facilities.

    Now you are ready with a first programmed prototype you can further develop the real device that holds the A71CH that is Ready for IBM Watson IoT.
    Please refer to the detailed material available at the NXP website and follow the Application Note to build your product with the NXP A71CH that is Ready for IBM Watson IoT:




    Authors: Marc Masschelein (NXP), Ranjan Dasgupta (IBM), Giuseppe Guagliardo (NXP), Bartho Dröge (IBM)


3 comments on"Plug & Trust IoT chip-to-cloud security with NXP A71CH Ready for IBM Watson IoT"

  1. Bartho Dröge May 15, 2019

    This is the link – awaiting the replay to be published: https://www.futureelectronics.com/resources/events/nxp-public-webinar

  2. Bartho Dröge June 04, 2019

    Here is the REPLAY of the Webinar from May 14th , 2019:
    Creating a Secure & Connected Future: How NXP and IBM® Watson IoT™ Streamline Device-to-Cloud Connections on Watson IoT Platform


Join The Discussion