For purposes of provisioning a device, it would be handy to be able to read out the Subject common name from the device certificate. You can't read the device cert from the application processor. Is there a way to cause the modem to parse the cert and return the Subject CN?
If there isn't, it sure would be useful, could something like this get added to the SDK at some point?
Failing that, what's the best way to store extra configuration information like this to the device at manufacture time? It would be handy to be able to have an extra slot available to the CMNG command just for storing manufacturing config info.
You can't read the device cert from the application processor.
This is incorrect. Using the AT command interface in NCS, you can use the %CMNG command to read out the certificates and then parse it in your application. Make sure to change the AT_CMD_RESPONSE_MAX_LEN config to at least 3k (it defaults to 2.7 kB).
Heidi, I tried it, it didn't work. You can read the CA cert, but not the device cert. Perhaps this isn't the intended behavior, but it's what happens. The response length is set to 4k, just to make sure. I know which cert I put in, and it should easily fit in 4k.
If you read the CA cert with, for example AT%CMNG=2, 12345678, 0 you get the expected result. Trying the same on the device cert by issuing AT%CMNG=2, 12345678, 1 results in this response:
[1;31m<err> at_host: Error while processing AT command: -8
Hi, you are correct, sorry about the misinformation. You cannot use %CMNG to read out certificate types 1,2, and 3 (client certificate, client private key and pre-shared key). This is for security reasons.
could something like this get added to the SDK at some point?
It could, but it is very unlikely as this was done intentionally.
Perhaps an application that stores the information to flash, when the certificates are being written to the modem is the best way to do this.
Can I ask why you need this feature?
Actually it turns out I don't need this. I wound up using the PSK identity slot to store my device name, and that works great.