Appliance

Enrolment

How an appliance joins the fleet, cryptographically.

Last updated 18 Apr 2026

Enrolment is the moment a fresh appliance becomes a trusted member of the fleet. It involves three parties: the appliance, the central plane, and the operator (you or us, depending on how the unit was ordered).

Token flow

We mint an enrolment token with a 72-hour TTL, bound to the tenant and a single hardware serial.
The token is delivered out-of-band — typically printed on the shipment docket and emailed to the named contact.
At first boot the appliance exchanges the token for a fleet-signed certificate. The exchange includes TPM attestation, proving the appliance is genuine hardware running genuine firmware.

appliance                        central plane
    |                                 |
    | POST /v1/enrol                  |
    | { token, csr, tpm_quote }       |
    |-------------------------------->|
    |                                 | verify token
    |                                 | verify TPM quote
    |                                 | mint certificate
    |                                 |
    | 200 OK                          |
    | { cert, fleet_root, policy_url }|
    |<--------------------------------|
    |                                 |

What we pin at enrolment

Identity key. Generated on the appliance, stored in the TPM, never exported.
Tenant ID. Immutable — an appliance can belong to exactly one tenant for life.
Region. EU or UAE — determines which central-plane region the appliance talks to.
Serial + hardware fingerprint. Cross-referenced at every heartbeat so a physical swap is detected and surfaced.

Rotating

To rotate an appliance’s certificate we use the existing identity key as the authenticator. To rotate the identity key — for example after a suspected compromise — we require a fresh enrolment ceremony, which in turn requires physical access to the appliance. That is deliberate.