This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nrf9160: Adding intermediate certificates to the TLS engine


I am running into an issue attempting to add certificates to the device in order to facilitate HTTPS calls to our backend directly from the device.

Before the LTE modem has been configured I make a call to nrf_inbuilt_key_write in order to write the private/public and CA certifications to the device.


I appear to be running into a limitation with the certificate size when passing it to nrf_inbuilt_key_write. If the certificate size is too large, it will return me error 105 (NRF_ENOBUFS).

The reason that the certificate is so large is that it contains the root certificate authority as well as an additional intermediate certificate.

Is there any solution to installing more than one (intermediate) CA certificates to the device?

Thank you

  • Hello,

    if you want to write multiple certificates to the modem you can write them to different tags. Change the sec_tag argument in nrf_inbuilt_key_write() to something new. Be careful not to overwrite other certificates in the modem. You want to avoid writing to existing tags like for instance 16842753, which is being used by nrf_cloud certificates.

  • Hakon,

    Thanks for the response. Are you suggesting that I should be able to write additional certificates to a separate security tag (sec_tag) and then when initializing the socket make two separate calls or I suppose I can simply add an additional security tag to the security tag list:

    err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
    			 sizeof(sec_tag_t) * ARRAY_SIZE(sec_tag_list));

    Let me try this and I will get back to you.
  • Cody said:
    I suppose I can simply add an additional security tag to the security tag list

     As far as I know this is the way to do it.

  • Hakon,

    I was able to test writing public, private, and the CA certificate to one security tag, and then the intermediate CA certificate to another security tag and adding both security tags to the sec_tag_list when calling setsockopt.

    This was unsuccessful.

    Also, in case you were wondering, I do have HTTPS working if I use a different combination of the public, private, and CA certificate for a different URL so I know it does work, just need to get it working when there is more than one CA certificate (intermediate certificates).

  • Okay, it seems that the sec_tag list hasn't been implemented properly on our part. There is another way to do it though. You can put all of the certificates in the same certificates.h file, look at the asset_tracker project for reference. If you need more than one CA certificate you should write something like this,

    	"-----BEGIN CERTIFICATE-----\n" \
    	"-----END CERTIFICATE-----\n" \
    	"-----BEGIN CERTIFICATE-----\n" \
    	"-----END CERTIFICATE-----\n"