A device, mobile operator, network, and a device provider can exchange messages for EAP-TLS authentication. The network can include an authentication server function (AUSF). A device and a device provider can record both a device certificate and a device provider certificate. The network can receive an encrypted identity for the device and forward the identity to the device provider. The device provider can send the device certificate and the device provider certificate to the network. The network can (i) receive a “client hello”, (ii) select a network public key and private key, and (iii) send a certificate signing request to the device provider with the network public key, and (iv) receive a network certificate verified by the device provider certificate. The network can receive the device certificate from the device in a TLS handshake and mutually authenticate with the device using the received network certificate and the device certificate.