Service provider certificate management

The invention claimed is: 1. A method comprising: establishing a telecommunication link between a device and a service provider system via a telecommunication network; receiving, from the device at the service provider system, a communication comprising a device public key for the device, via the telecommunication network, the device public key predating the establishment of the telecommunication link; verifying, at the service provider system, based on verification data from at least one other device, obtained using the communication comprising the device public key for the device, that the device stores a device private key in a secure storage area of the device, wherein the device private key corresponds to the device public key, with the device public key and the device private key being a cryptographic key pair; and authorizing, by the service provider system, sign-up of the device for service enrollment in response to verifying, based on the verification data from the at least one other device, obtained using the communication comprising the device public key for the device, that the device stores the device private key in the secure storage area of the device, wherein authorizing the sign up of the device for the service enrollment for the service provider system comprises providing to the device, when the device private key is determined to be stored in the secure storage area of the device, a service-provider-specific custom certificate. 2. The method of claim 1 , wherein verifying that the device stores the device private key in a secure storage area of the device comprises finding an indication of the device public key in a whitelist database associated with a manufacturer of the device. 3. The method of claim 1 , wherein the communication comprises a device certificate, and wherein the device public key is part of the device certificate and the device public key is received by the service provider system receiving the device certificate, and wherein the verifying that the device stores the device private key in the secure storage area of the device comprises obtaining a device root certificate authority certificate indicating that the device certificate is trustworthy, and analyzing the device certificate for an indication that secure storage is used for the device private key. 4. The method of claim 3 , wherein the analyzing comprises analyzing an extended key usage portion of the device certificate for the indication that secure storage is used for the device private key. 5. The method of claim 1 , further comprising: producing a service provider certificate by the service provider system, wherein a public key of the service provider certificate is the device public key; signing the service provider certificate by the service provider system to produce a service-provider-signed certificate; and sending the service-provider-signed certificate from the service provider system to the device; wherein the service-provider-specific custom certificate comprises the service-provider-signed certificate. 6. The method of claim 5 , further comprising: sending a certificate signing request, based on the service provider certificate, from a sign-up server of the service provider system to a service provider certificate authority of the service provider system, the service provider certificate authority performs the signing of the service provider certificate; and receiving the service-provider-signed certificate from the service provider certificate authority at the sign-up server; wherein the sign-up server performs the sending the service-provider-signed certificate to the device. 7. The method of claim 5 , wherein the producing the service provider certificate is performed such that at least one of a format or content of the service provider certificate is at least one of service-provider-server specific, service-provider specific, device-user specific, device specific, or subscription specific. 8. A service provider system comprising: a communication interface configured to establish a telecommunication link with a device via a telecommunication network; and a hardware-based processor communicatively coupled to the communication interface and configured to: receive, from the device, a communication comprising a device public key for the device, the device public key predating the establishment of the telecommunication link; verify, based on verification data from at least one other device, obtained using the communication comprising the device public key for the device, that the device stores a device private key in a secure storage area of the device, with the device private key and the device public key being a cryptographic key pair; and authorize sign-up of the device for service enrollment in response to verifying, based on the verification data from the at least one other device, obtained using the communication comprising the device public key for the device, that the device stores the device private key in the secure storage area of the device, wherein the hardware-based processor configured to authorize the sign up of the device for the service enrollment for the service provider system is configured to provide to the device, when the device private key is determined to be stored in the secure storage area of the device, a service-provider-specific custom certificate. 9. The system of claim 8 , wherein to verify that the device stores the device private key in the secure storage area of the device the processor is configured to find an indication of the device public key in a whitelist database associated with a manufacturer of the device. 10. The system of claim 8 , wherein the communication comprises a device certificate, and wherein the device public key is part of the device certificate and the processor is configured to receive the device public key by receiving the device certificate, and wherein to verify that the device stores the device private key in the secure storage area of the device the processor is configured to obtain a device root certificate authority certificate indicating that the device certificate is trustworthy, and to analyze the device certificate for an indication that secure storage is used for the device private key. 11. The system of claim 10 , wherein to analyze the device certificate the processor is configured to analyze an extended key usage portion of the device certificate for the indication that secure storage is used for the device private key. 12. The system of claim 8 , wherein the processor is further configured to: produce a service provider certificate, wherein a public key of the service provider certificate is the device public key; sign the service provider certificate to produce a service-provider-signed certificate; and send the service-provider-signed certificate to the device; wherein the service-provider-specific custom certificate comprises the service-provider-signed certificate. 13. The system of claim 12 , wherein the processor is further configured to: send a certificate signing request from a sign-up module to a service-provider-signed certificate module; produce the service-provider-signed certificate, based on the device certificate, in the service-provider-signed certificate module; send the service-provider-signed certificate from the service-provider-signed certificate module to the sign-up module; and receive the service-provider-signed certificate at the sign-up module from the service-provider-signed certificate module; wherein the processor is configured to send the service-provider-signed certificate to the device from the sign-up module.