This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nrf9160: Adding intermediate certificates to the TLS engine

Hello,

I am running into an issue attempting to add certificates to the device in order to facilitate HTTPS calls to our backend directly from the device.

Before the LTE modem has been configured I make a call to nrf_inbuilt_key_write in order to write the private/public and CA certifications to the device.

 

I appear to be running into a limitation with the certificate size when passing it to nrf_inbuilt_key_write. If the certificate size is too large, it will return me error 105 (NRF_ENOBUFS).

The reason that the certificate is so large is that it contains the root certificate authority as well as an additional intermediate certificate.

Is there any solution to installing more than one (intermediate) CA certificates to the device?

Thank you

Parents
  • Hello,

    if you want to write multiple certificates to the modem you can write them to different tags. Change the sec_tag argument in nrf_inbuilt_key_write() to something new. Be careful not to overwrite other certificates in the modem. You want to avoid writing to existing tags like for instance 16842753, which is being used by nrf_cloud certificates.

  • Hakon,

    Thanks for the response. Are you suggesting that I should be able to write additional certificates to a separate security tag (sec_tag) and then when initializing the socket make two separate calls or I suppose I can simply add an additional security tag to the security tag list:

    err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
    			 sizeof(sec_tag_t) * ARRAY_SIZE(sec_tag_list));


    Let me try this and I will get back to you.
    Thanks,
    Cody
Reply
  • Hakon,

    Thanks for the response. Are you suggesting that I should be able to write additional certificates to a separate security tag (sec_tag) and then when initializing the socket make two separate calls or I suppose I can simply add an additional security tag to the security tag list:

    err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
    			 sizeof(sec_tag_t) * ARRAY_SIZE(sec_tag_list));


    Let me try this and I will get back to you.
    Thanks,
    Cody
Children
Related