nrf9160: Adding intermediate certificates to the TLS engine

Hello,

if you want to write multiple certificates to the modem you can write them to different tags. Change the sec_tag argument in nrf_inbuilt_key_write() to something new. Be careful not to overwrite other certificates in the modem. You want to avoid writing to existing tags like for instance 16842753, which is being used by nrf_cloud certificates.

Hakon,

I was able to test writing public, private, and the CA certificate to one security tag, and then the intermediate CA certificate to another security tag and adding both security tags to the sec_tag_list when calling setsockopt.

This was unsuccessful.

Also, in case you were wondering, I do have HTTPS working if I use a different combination of the public, private, and CA certificate for a different URL so I know it does work, just need to get it working when there is more than one CA certificate (intermediate certificates).

Putting all of the certificates into the same certificates.h is what I am currently struggling with right now, if the certificate is too big, nrf_inbuilt_key_write will return me 105 (NRF_ENOBUFS).

nrf_inbuilt_key_write appears to return an error code 105 (NRF_ENOBUFS) when the certificate #define is greater than about ~3800 characters. Unfortunately, the combined root CA certificate and the intermediate certificate is over 4100 characters.

Hi, Håkon is on vacation so I took over this case. 

I don't think you need to include all the CA certificates in the chain, as long as the root-certificate is approved and all the other certificates are signed. Have you tried not including the additional intermediate certificate?

Side note: we don't recommend writing certificates from the application. 

Best regards,

Heidi

I will try this now.

Hey Heidi,

It doesn't appear to be working. I used openssl to verify that my private key does indeed match my public certificate using the instructions here: https://support.comodo.com/index.php?/Knowledgebase/Article/View/684/17/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl

When I run openssl s_client -showcerts -connect hostname:443 it shows me three different certificates in the chain.

Also, if you don't recommend writing the certificates from the application is there a preferred methodology?

Thanks

Hi, there are unfortunately maximum sizes, see here. 

In release v1.1 of NCS the maximum size for one certificate is 4 kB, the maximum amount of intermediate certificates is 4 and the total flash size reserved for certificates is 7 x 8 kB. The chain file for certificate chaining must be less than 8kB.

You could try using RSA 2048 keys or by using Elliptical Curve keys which are smaller than RSA.

The developers have also confirmed that using two separate tags for two certificates chained together is not supported but could be in the future. You can contact your regional sales manager to ask for more information. 

Hi, there are unfortunately maximum sizes, see here. 

In release v1.1 of NCS the maximum size for one certificate is 4 kB, the maximum amount of intermediate certificates is 4 and the total flash size reserved for certificates is 7 x 8 kB. The chain file for certificate chaining must be less than 8kB.

You could try using RSA 2048 keys or by using Elliptical Curve keys which are smaller than RSA.

The developers have also confirmed that using two separate tags for two certificates chained together is not supported but could be in the future. You can contact your regional sales manager to ask for more information. 

Okay, so it sounds like if I have a certificate chain consisting of 3 certificates (which is less than the maximum amount of 4 intermediate certificates) but exceeds 4kB when put all together, this configuration is not supported for now?

I guess I am just confused by what you mean when you say, "The chain file for certificate chaining must be less than 8kB." The three certificates that I need to add to the modem is just slightly over 6kB and all of them are well under 4 kB individually.

Can you confirm that this scenario (3 certificates, all under 4kB individually, over 6kB when combined) is unsupported? Note that I am not included the public/private key in this scenario.

The chain file is the ordered list of all certificates. If you're sure it's under 8kB I'll double-check with the developers again.

Could you run AT%CMNG=1 to list all storage certificates and keys?