Service provider certificate management

1 . A method comprising: establishing a telecommunication link between a device and a service provider system via a telecommunication network; receiving a device public key via the telecommunication network from the device at the service provider system, the device public key predating the establishment of the telecommunication link; verifying, at the service provider system, that the device stores a device private key in a secure storage area of the device, the device private key corresponding to the device public key, the device public key and the device private key being a cryptographic key pair; and authorizing, by the service provider system, sign-up of the device for service enrollment in response to verifying that the device stores the device private key in the secure storage area of the device. 2 . The method of claim 1 , wherein verifying that the device stores a device private key in a secure storage area of the device comprises finding an indication of the device public key in a whitelist database associated with a manufacturer of the device. 3 . The method of claim 1 , wherein the device public key is part of a device certificate and the device public key is received by the service provider system receiving the device certificate, and wherein the verifying that the device stores a device private key in a secure storage area of the device comprises obtaining a device root certificate authority certificate indicating that the device certificate is trustworthy, and analyzing the device certificate for an indication that secure storage is used for the device private key. 4 . The method of claim 3 , wherein the analyzing comprises analyzing an extended key usage portion of the device certificate for the indication that secure storage is used for the device private key. 5 . The method of claim 1 , further comprising: producing a service provider certificate by the service provider system, wherein a public key of the service provider certificate is the device public key; signing the service provider certificate by the service provider system to produce a service-provider-signed certificate; and sending the service-provider-signed certificate from the service provider system to the device. 6 . The method of claim 5 , further comprising: sending a certificate signing request, based on the service provider certificate, from a sign-up server of the service provider system to a service provider certificate authority of the service provider system, the service provider certificate authority performs the signing of the service provider certificate; and receiving the service-provider-signed certificate from the service provider certificate authority at the sign-up server; wherein the sign-up server performs the sending the service-provider-signed certificate to the device. 7 . The method of claim 5 , wherein the producing the service provider certificate is performed such that at least one of a format or content of the service provider certificate is at least one of service-provider-server specific, service-provider specific, device-user specific, device specific, or subscription specific. 8 . A service provider system comprising: a communication interface configured to establish a telecommunication link with a device via a telecommunication network; and a processor communicatively coupled to the communication interface and configured to: receive a device public key from the device, the device public key predating the establishment of the telecommunication link; verify that the device stores a device private key in a secure storage area of the device, the device private key and the device public key being a cryptographic key pair; and authorize sign-up of the device for service enrollment in response to verifying that the device stores the device private key in the secure storage area of the device. 9 . The system of claim 8 , wherein to verify that the device stores a device private key in a secure storage area of the device the processor is configured to find an indication of the device public key in a whitelist database associated with a manufacturer of the device. 10 . The system of claim 8 , wherein the device public key is part of a device certificate and the processor is configured to receive the device public key by receiving the device certificate, and wherein to verify that the device stores a device private key in a secure storage area of the device the processor is configured to obtain a device root certificate authority certificate indicating that the device certificate is trustworthy, and to analyze the device certificate for an indication that secure storage is used for the device private key. 11 . The system of claim 10 , wherein to analyze the device certificate the processor is configured to analyze an extended key usage portion of the device certificate for the indication that secure storage is used for the device private key. 12 . The system of claim 8 , wherein the processor is further configured to: produce a service provider certificate, wherein a public key of the service provider certificate is the device public key; sign the service provider certificate to produce a service-provider-signed certificate; and send the service-provider-signed certificate to the device. 13 . The system of claim 12 , wherein the processor is further configured to: send a certificate signing request from a sign-up module to a service-provider-signed certificate module; produce the service-provider-signed certificate, based on the device certificate, in the service-provider-signed certificate module; send the service-provider-signed certificate from the service-provider-signed certificate module to the sign-up module; and receive the service-provider-signed certificate at the sign-up module from the service-provider-signed certificate module; wherein the processor is configured to send the service-provider-signed certificate to the device from the sign-up module. 14 . The system of claim 12 , wherein the processor is configured to produce the service provider certificate such that at least one of a format or content of the service-provider-signed certificate is at least one of service-provider-server specific, service-provider specific, device-user specific, device specific, or subscription specific. 15 . A method comprising: establishing a telecommunication link between a device and service provider system via a telecommunication network; sending a device certificate via the telecommunication network from the device to the service provider system, the device certificate including a device public key, a device identity, and a digital signature, the device public key predating the establishing of the telecommunication link, the device public key corresponding to a device private key stored in secure memory of the device, the device public key and the device private key being a cryptographic key pair, the device certificate further including an indication that the device private key is stored in the secure memory of the device; and receiving, at the device from the service provider system, an authorization to sign up the device for service enrollment. 16 . The method of claim 15 , wherein sending the device certificate comprises sending the device certificate to a plurality of service provider systems, the method further comprising receiving a respective service-provider-signed certificate from each of the plurality of service provider systems. 17 . The method of claim 16 , wherein each of the plurality of service-provider-signed cert