nrf9160: Adding intermediate certificates to the TLS engine

RE: nrf9160: Adding intermediate certificates to the TLS engine

Heidi — Tue, 14 Jan 2020 13:45:23 GMT

The chain file is the ordered list of all certificates. If you're sure it's under 8kB I'll double-check with the developers again.

Could you run AT%CMNG=1 to list all storage certificates and keys?

RE: nrf9160: Adding intermediate certificates to the TLS engine

Cody — Fri, 10 Jan 2020 18:09:11 GMT

Okay, so it sounds like if I have a certificate chain consisting of 3 certificates (which is less than the maximum amount of 4 intermediate certificates) but exceeds 4kB when put all together, this configuration is not supported for now?

I guess I am just confused by what you mean when you say, "The chain file for certificate chaining must be less than 8kB." The three certificates that I need to add to the modem is just slightly over 6kB and all of them are well under 4 kB individually.

Can you confirm that this scenario (3 certificates, all under 4kB individually, over 6kB when combined) is unsupported? Note that I am not included the public/private key in this scenario.

RE: nrf9160: Adding intermediate certificates to the TLS engine

Heidi — Fri, 10 Jan 2020 14:09:45 GMT

Hi, there are unfortunately maximum sizes, see here.

In release v1.1 of NCS the maximum size for one certificate is 4 kB, the maximum amount of intermediate certificates is 4 and the total flash size reserved for certificates is 7 x 8 kB. The chain file for certificate chaining must be less than 8kB.

You could try using RSA 2048 keys or by using Elliptical Curve keys which are smaller than RSA.

The developers have also confirmed that using two separate tags for two certificates chained together is not supported but could be in the future. You can contact your regional sales manager to ask for more information.

RE: nrf9160: Adding intermediate certificates to the TLS engine

Cody — Fri, 10 Jan 2020 03:48:11 GMT

Hey Heidi,

It doesn't appear to be working. I used openssl to verify that my private key does indeed match my public certificate using the instructions here: https://support.comodo.com/index.php?/Knowledgebase/Article/View/684/17/how-do-i-verify-that-a-private-key-matches-a-certificate-openssl

When I run openssl s_client -showcerts -connect hostname:443 it shows me three different certificates in the chain.

Also, if you don't recommend writing the certificates from the application is there a preferred methodology?

Thanks

RE: nrf9160: Adding intermediate certificates to the TLS engine

Cody — Wed, 18 Dec 2019 23:29:24 GMT

I will try this now.

RE: nrf9160: Adding intermediate certificates to the TLS engine

Heidi — Wed, 18 Dec 2019 15:27:23 GMT

Hi, Håkon is on vacation so I took over this case.

I don't think you need to include all the CA certificates in the chain, as long as the root-certificate is approved and all the other certificates are signed. Have you tried not including the additional intermediate certificate?

Side note: we don't recommend writing certificates from the application.

Best regards,

Heidi

RE: nrf9160: Adding intermediate certificates to the TLS engine

Cody — Mon, 16 Dec 2019 17:55:53 GMT

Putting all of the certificates into the same certificates.h is what I am currently struggling with right now, if the certificate is too big, nrf_inbuilt_key_write will return me 105 (NRF_ENOBUFS).

nrf_inbuilt_key_write appears to return an error code 105 (NRF_ENOBUFS) when the certificate #define is greater than about ~3800 characters. Unfortunately, the combined root CA certificate and the intermediate certificate is over 4100 characters.

RE: nrf9160: Adding intermediate certificates to the TLS engine

Hakon — Mon, 16 Dec 2019 14:38:34 GMT

Okay, it seems that the sec_tag list hasn't been implemented properly on our part. There is another way to do it though. You can put all of the certificates in the same certificates.h file, look at the asset_tracker project for reference. If you need more than one CA certificate you should write something like this,

#define NRF_CLOUD_CA_CERTIFICATE \
	"-----BEGIN CERTIFICATE-----\n" \
	"NRF_CLOUD_CA_CERTIFICATE\n" \
	"-----END CERTIFICATE-----\n" \
	"-----BEGIN CERTIFICATE-----\n" \
	"NRF_CLOUD_CA_CERTIFICATE\n" \
	"-----END CERTIFICATE-----\n"

RE: nrf9160: Adding intermediate certificates to the TLS engine

Cody — Wed, 11 Dec 2019 18:30:30 GMT

Hakon,

I was able to test writing public, private, and the CA certificate to one security tag, and then the intermediate CA certificate to another security tag and adding both security tags to the sec_tag_list when calling setsockopt.

This was unsuccessful.

Also, in case you were wondering, I do have HTTPS working if I use a different combination of the public, private, and CA certificate for a different URL so I know it does work, just need to get it working when there is more than one CA certificate (intermediate certificates).

RE: nrf9160: Adding intermediate certificates to the TLS engine

Hakon — Wed, 11 Dec 2019 17:04:14 GMT

[quote user="CRSharff"]I suppose I can simply add an additional security tag to the security tag list[/quote]

As far as I know this is the way to do it.

RE: nrf9160: Adding intermediate certificates to the TLS engine

Cody — Tue, 10 Dec 2019 18:57:56 GMT

Hakon,

Thanks for the response. Are you suggesting that I should be able to write additional certificates to a separate security tag (sec_tag) and then when initializing the socket make two separate calls or I suppose I can simply add an additional security tag to the security tag list:

err = setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
			 sizeof(sec_tag_t) * ARRAY_SIZE(sec_tag_list));

Let me try this and I will get back to you.

Thanks,
Cody

RE: nrf9160: Adding intermediate certificates to the TLS engine

Hakon — Tue, 10 Dec 2019 14:27:21 GMT

Hello,

if you want to write multiple certificates to the modem you can write them to different tags. Change the sec_tag argument in nrf_inbuilt_key_write() to something new. Be careful not to overwrite other certificates in the modem. You want to avoid writing to existing tags like for instance 16842753, which is being used by nrf_cloud certificates.