• State Not Answered
  • Replies 5 replies
  • Subscribers 86 subscribers
  • Views 209 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 359419
Options

Azure Iot Hub certificate generation on nRF52840

buh

Hi together!

In my current project I would like to send some sensor data to an Azure IoT Hub, by using a nRF52840.

In the first step and for evaluation I used a nRF9151-DK together with the Azure IoT Hub sample and the setup from the Azure IoT Hub library, which worked fine. For certificate generation and provisioning, I used the "nRF91: Modem generated private key" option together with the nrfcredstore tool.

In the second step, I used a nRF52840 and a W5500 ethernet controller and the "nRF70: Script generated private key" option to run the slightly modified sample code, which also worked. But now, the generated certificates (using a <device_id>) will be compiled into the application code, which requires an individual firmware for every device. Because I intend to use many devices, this is no option to me.

I have the following questions:

  • What would be the best way to generate the certificates for many devices, when using an ethernet controller, without having an individual firmware per device?
  • Is there a way to use the nrfcredstore tool on the nRF52840 to generate the private key, when using an external flash to store the certificates?

On the long run, I would like to replace the W5500 by the nRF9151 with the serial modem firmware, achieving LTE connectivity, would that change anything?

Best regards
Bernhard

Parents
  • 0

    Hello, 

    We do not have support for the W5500 ethernet device. 

    is there a reason for why you are using the nRF52840 and not a newer device with a more security in regards to storing the certificate? I.e. our nRF54 series includes Trustzone which can be used to store certificates more securely. The nRF70 sample uses the nRF7002DK which has the nRF5340 as main device. See requirements under Azure IoT Hub sample. This sample also uses the cert_tool.py script

    From what I can tell, the nrfcredstore tool is not designed to work with other devices than nRF91. From Github repo:

    nrfcredstore is a command line tool that simplifies managing credentials stored in Nordic Semiconductor modems, like the nRF9151. The typical use case of nrfcredstore is to automate the provisioning of cloud certificates that are stored securely in the modem.

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Hi!

    Thanks for the quick answer!

    I understand you are not supporting the W5500 ethernet controller, but I think it should make no difference using the W5500 or any other external ethernet or Wi-Fi controller, like a nRF70 series device, because the Azure certificates need to be stored on the host controller in any case.

    Lets assume I would use a nRF54 series SoC, would there be another way for certificate generation and provisioning beside the "nRF70: Script generated private key" option, which would allow the exact same firmware to be used for many devices? If yes, I would appreciate it if you could provide further details on how this can be done.

    Best regards
    Bernhard

  • 0 in reply to buh

    Hello Bernhard, 

    buh said:
    like a nRF70 series device, because the Azure certificates need to be stored on the host controller in any case.

    Yes, this is correct. Our steps under e.g. Generate and provision device certificates includes steps for the nRF70 but should also work for e.g. W5500 when building for your target device. 

    buh said:
    Lets assume I would use a nRF54 series SoC, would there be another way for certificate generation

    There isn't much of difference in how the certificates are generated, but the difference is where they are stored. The newer devices have a PSA secure storage backend for the tls_credentials. The tls_credentials library supports runtime provisioning using for instance shell or their own transport of choice, so the firmware can be the same for all.

    For the nRF54 series this is handled by the SDK. For nRF52840, you will need to use some other means to store the credentials. Settings subsystem is probably usable, but this is not something we have added support for. That would store the credentials in plain text, but at least allow for runtime provisioning.

    Kind regards,
    Øyvind

Reply
  • 0 in reply to buh

    Hello Bernhard, 

    buh said:
    like a nRF70 series device, because the Azure certificates need to be stored on the host controller in any case.

    Yes, this is correct. Our steps under e.g. Generate and provision device certificates includes steps for the nRF70 but should also work for e.g. W5500 when building for your target device. 

    buh said:
    Lets assume I would use a nRF54 series SoC, would there be another way for certificate generation

    There isn't much of difference in how the certificates are generated, but the difference is where they are stored. The newer devices have a PSA secure storage backend for the tls_credentials. The tls_credentials library supports runtime provisioning using for instance shell or their own transport of choice, so the firmware can be the same for all.

    For the nRF54 series this is handled by the SDK. For nRF52840, you will need to use some other means to store the credentials. Settings subsystem is probably usable, but this is not something we have added support for. That would store the credentials in plain text, but at least allow for runtime provisioning.

    Kind regards,
    Øyvind

Children
Related
Terms of service