Secure Customer Key Injection for Build-to-Stock Systems

1 . A method to manufacture an endpoint, comprising: provisioning the endpoint with keys at a manufacturer; transferring the endpoint from the manufacturer to a site of a buyer; creating a handover package at the manufacturer, wherein the creating comprises: including a public key of the buyer in the handover package; and including an identifier of the endpoint in the handover package; signing the handover package with a private key of the manufacturer corresponding to a public key of the manufacturer within the endpoint; specifying that the public key of the buyer is to be used to verify a takeover request; and sending the handover package from the manufacturer to the buyer. 2 . The method of claim 1 , wherein the endpoint comprises a buyer meter. 3 . The method of claim 1 , wherein the provisioning of the endpoint with keys comprises: injecting the endpoint with a manufacturer's public key; and injecting the endpoint with a public/private key pair. 4 . The method of claim 3 , wherein injecting the endpoint with a public/private key pair comprises: generating the public/private key pair on the endpoint prior to the injection. 5 . The method of claim 1 wherein transferring the endpoint to the site of the buyer comprises: sending the endpoint to the buyer by way of a reseller. 6 . The method of claim 1 , wherein creating the handover package additionally comprises: including a revocation public key of the buyer. 7 . The method of claim 1 , wherein in the signing of the handover package with the private key of the manufacturer is a revocation private key of the manufacturer corresponding to a revocation public key of the manufacturer from among the keys provisioned in the endpoint. 8 . The method of claim 1 , wherein the sending of the handover package comprises signing the handover package in a secure key transfer file (SKTF) signed by a transfer key of the manufacturer. 9 . A method to manage cryptographic keys on an endpoint, comprising: reading an identifier of the endpoint; providing a manufacturer of the endpoint with the serial number; receiving a handover package from the manufacturer; creating a takeover package, wherein the creating comprises: creating a key bundle with operational keys of a buyer, wherein the key bundle is to replace keys within the endpoint; encrypting the key bundle with a key found in the handover package; and signing the encrypted key bundle and the handover package with a revocation private key of the buyer; and transmitting the takeover package to the endpoint. 10 . The method of claim 9 , additionally comprising: providing the manufacturer with a public key of the endpoint. 11 . The method of claim 9 , wherein the handover package received from the manufacturer comprises: a revocation public key of the buyer; the serial number of the endpoint; and a recovery public key of the manufacturer. 12 . The method of claim 9 , wherein operational keys of the buyer comprise: a revocation key of the buyer; and a command key of the buyer. 13 . The method of claim 9 , wherein encrypting the key bundle with the key found in the handover package comprises: encrypting the key bundle with a public recovery key of the manufacturer. 14 . The method of claim 9 , additionally comprising: receiving, from the endpoint and responsive to the transmission of the takeover package to the endpoint, a message from the endpoint indicating that manufacturing device credentials previously used by the endpoint have been replaced by buyer device credentials currently used by the endpoint. 15 . An endpoint, comprising: a processor; and memory, connected to the processor, wherein the memory defines objects comprising: a handover package, received by the processor, defined in the memory, and verified using a public key of a manufacturer; a takeover package, defined in the memory, and verified using a public key of a buyer of the endpoint obtained from the handover package; replacement keys extracted from an encrypted bundle found in the takeover package; manufacturer-provided keys and credentials initially installed in the endpoint; buyer-provided device keys and credentials, wherein the buyer-provided device keys and credentials replace the manufacturer-provided keys and credentials and comprise the replacement keys; and a confirmation message to indicate that the manufacturer-provided keys and credentials are no longer being used by the endpoint and that the buyer-provided keys and credentials are being used. 16 . The endpoint of claim 15 , wherein the handover package comprises: a public key of the buyer; an identifier of the endpoint; and a public key of the manufacturer. 17 . The endpoint of claim 15 , wherein the public key of the manufacturer used to verify the handover package at the endpoint is a revocation key of the manufacturer. 18 . The endpoint of claim 15 additionally comprising: a certificate signing request (CSR); and a certificate, obtained from a certificate authority of the buyer, in response to the CSR. 19 . The endpoint of claim 15 , wherein the buyer-provided device keys and credentials comprise: command, revocation and recovery keys; and a new public/private key pair. 20 . The endpoint of claim 15 , wherein the endpoint is configured to perform a Diffie Helman key exchange of symmetric keys and a secret, wherein the confirmation message additionally provides information to the buyer regarding the secret.