• State Not Answered
  • Replies 3 replies
  • Subscribers 86 subscribers
  • Views 126 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 359347
Options

NRF9160 Certificate provisioning (CSR) With RSA keys

Martin Hauser

Hi

We have a product that we are preparing for production.

The product needs to communicate with an Azure IOT Hub that only accepts RSA keys.

We have used the device_credentials_installer.py script to make a certificate signing request, but it seems that it only can generate ECDSA keys.

To verify that the problems we are seeing with devices not getting on the hub, we have tried to generate the certificates (with RSA keys) on a PC and loading them in the device and that works.

We would strongly preferer that the private key is generated on the device for safety reasons, and our question is therefore if there is a way to generate a RSA key on the device and get an CSR like its done in the device_credentials_installer.

- Martin 

Parents
  • 0

    Hi Martin,

    I'm not too familiar with Azure IoT Hub, but I saw there were some documentation for generating keys for Azure IoT Hub (link). However, I think it uses elliptic curve keys, so are you sure that you can't configure your Hub to work with ECDSA keys ?

    Anyway, I don't think that there is a direct way to generate an RSA key directly inside the modem like with the ECDSA keys. However, the nRF9160 Crypto peripheral supports RSA key generation (link). You should be able to generate the key inside on the application core and then send it to the modem. I don't know if this is safe enough for you as the key is present on the application core for a small amount of time.

    Best regards,

    Simon D-M

  • 0 in reply to Simon D-M

    Hi Simon

    Thanks for the clarification.

    We don't have control over the IOT hub, another company manages that, we are hoping that they can support ECDSA but we are waiting on a response from them.

    The statement that the Hub only accepts RSA key is not something we have/can confirm, but the fact that it works with a cert using RSA makes us believe that it's true. We know the root CA uses RSA unlike in the documentation you mentioned. 

    We will try to implement key generation in application if out cloud partner can't make is work with ECDSA. Is there any samples showing how to generate the keys/cert?

    - Martin

  • 0 in reply to Martin Hauser

    Hi Martin,

    We currently don't have any sample that shows how to generate an RSA key. The closest sample I found is "Crypto: RSA" which does not show how to generate the RSA key but shows how to use it. It shouldn't be too hard to modify this sample in order to replace importing the key by generating the key.

    If you need help modifying the sample feel free to ask.

    Best regards,

    Simon D-M

Reply Children
No Data
Related
Terms of service