https://devzone.nordicsemi.com/f/nordic-q-a/119170/nrf9160-offloaded-sockets-can-t-use-mbedtls_use_psa_crypto-with-rsa-certificatesI have app that&#39;s using MBedTLS and offloaded sockets on the nRF9160 modem. I&#39;m using NCS 2.9.0 and it appears to me that it&#39;s not possible to set CONFIG_MBEDTLS_USE_PSA_CRYPTO when RSA certificates are required. I have tried many combinations of configen-USTelligent Community 13Mon, 28 Jul 2025 15:41:46 GMThttps://devzone.nordicsemi.com/thread/543797?ContentTypeID=1Mon, 28 Jul 2025 15:41:46 GMT137ad170-7792-4731-bb38-c0d22fbe4515:57462355-8cb3-458e-b18d-3b83cc9a51ddJaro<p>Hi Voxorion, hi Susheel,</p> <p>we have exactly the same problem, that we cannot parse the RSA certificate provided by our server.<br />Same error code -0x262e, same config dependency between&nbsp;<span>MBEDTLS_RSA_C&nbsp; &lt;--&gt;&nbsp;CONFIG_MBEDTLS_USE_PSA_CRYPTO. Using ECC certificates is also not an option since we have no control over the provided certificate.</span></p> <p><span></span></p> <p><span>We are currently on NCS release 3.0.2 so apparently the teased dependency breaks have not released so far.</span></p> <p><span></span></p> <p><span>Therefore my question:</span></p> <p><span>a) Is there any known workaround so far to somehow parse RSA certificates with CONFIG_MBEDTLS_USE_PSA_CRYPTO enabled?</span></p> <p><span>b) Is there any roadmap on when the dependencies to the (soon to be) deprecated&nbsp;MBEDTLS_LEGACY API will be released?</span></p> <p><span></span></p> <p><span>If you have any helpful information, we would really much appreciate your feedback.</span></p> <p><span>Thanks in advance!</span></p> <p><span>Jaro</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/524405?ContentTypeID=1Mon, 24 Feb 2025 15:23:10 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1370d201-8b07-4d87-b144-38ddaef109d6Susheel Nuguru<p>Voxorin, it seems like we still need legacy crypto for some cases. I think by sdk release version 3.0.0 we might be able to break the dependency on the legacy crypto completely. But this is not a promise but just a guideline on our intention. Keeping that in mind, you can probably ignore that warning and continue your development and in few months you wont see this warning when you upgrade the sdk.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/524156?ContentTypeID=1Fri, 21 Feb 2025 18:45:01 GMT137ad170-7792-4731-bb38-c0d22fbe4515:dbf0ddfa-58f0-4021-9513-0cfa9d45089dVoxorin<p>I would like to use ECC certificates, but both vendors I work with only have servers that use RSA certificates (ISRG Root X1 and Amazon Root CA 1).</p> <p>It seems a bit strange that RSA certificates would be considered deprecated when they&#39;re still widely in use.</p> <p>Maybe I missed something, but the MbedTLS PSA Crypto API supports RSA and it doesn&#39;t appear to be deprecated by MbedTLS. So why doesn&#39;t the NCS version of the PSA Crypto API support RSA?</p> <p>See: <a href="https://mbed-tls.readthedocs.io/en/latest/getting_started/psa/#signing-a-message-using-rsa">&quot;The PSA Crypto API supports encrypting, decrypting, signing and verifying messages using public key signature algorithms, such as RSA or ECDSA.&quot;</a></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/524110?ContentTypeID=1Fri, 21 Feb 2025 14:05:55 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b4e84215-0cc8-4ab1-beca-e9603ac1bbb4Susheel Nuguru<p>Voxorin,</p> <p>You seem right, seems like there is this dependency of MBEDTLS_RSA on a deprecated&nbsp;&nbsp;<code>CONFIG_MBEDTLS_LEGACY_CRYPTO_C</code>. I think the best alternative for you, if you do not want to rely on deprecated configs, for future proofing your design, it might be best to use ECC certificates (which are supported by the PSA_CRYPTO&nbsp; API in our solution) rather than RSA.&nbsp;&nbsp;</p><div style="clear:both;"></div>