• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 15 replies
  • Subscribers 91 subscribers
  • Views 6651 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 252823
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF91 How is it possible to generate EC 256 key pair and a self-signed X.509 certificate?

PopradiArpad
Hi,
I want to connect to Google Cloud IoT and for that I would like to generate the needed credentials on the nRF9160.
I need these ones, but the private key should be both in PEM and in DER format.
PEM is needed by the modem and DER is used by jwt_sign.
With kind regards,
Árpád
  • 0 in reply to PopradiArpad

    Hi Árpád,

    I would assume that you could do this using the X.509 module in mbed TLS. It has support for building X509 certificates. I have not tested this myself though, and cannot provide any more details.

    Einar

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    thank you for your reply. Unfortunately

    CONFIG_MBEDTLS_X509_LIBRARY=y

    depends on

    CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"

    and the compilation results in:

    get_target_property() called with non-existent target "platform_cc310".

    I build for nrf9160dk_nrf9160ns

    How can I setup prj.conf to get the mbedTLS X509 module?

    Why does the mbedTLS depends on CONFIG_NORDIC_SECURITY_BACKEND?

    mbedTLS is a standalone lib, why is this dependency?

    Here are my mbed config settings:

    # Generate keys
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_MBEDTLS_ENTROPY_ENABLED=y
# Create certificate
CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
CONFIG_NORDIC_SECURITY_BACKEND=y
# Why this depends on CONFIG_NORDIC_SECURITY_BACKEND??
CONFIG_MBEDTLS_X509_LIBRARY=y

    Best regards,

    Árpád

  • 0 in reply to PopradiArpad

    Hi Árpád,

    This is not straightforward.

    PopradiArpad said:

    Why does the mbedTLS depends on CONFIG_NORDIC_SECURITY_BACKEND?

    mbedTLS is a standalone lib, why is this dependency?

    You need an entropy source in order to generate random numbers, and the only entropy source available to the application on the nRF9160 is the TRNG within the CC310 peripheral. The API for the CC310 in the nRF Connect SDK is mbed TLS, via the nordic security backend. This is still ongoing work, though. We do not have a proper solution ready at the moment.

    It might be better to find some other way to generate the X509 certificate in pure SW, but in that case, it would only be for experimentation, as you will not have a usable secure solution without a proper entropy source.

    Einar

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    thank you for your fast answer. I understand ongoing work :) 

    Approximately when do you have a proper solution?

    Best regards,

    Árpád

  • 0 in reply to PopradiArpad

    Hi Árpád,

    I cannot comment on when new features will be available, unfortunately. However, I see I was a bit too pessimistic in my previous reply. You can in fact make your own solution, and use the RNG support in the CC310 via the Secure Partition Manager, which has the spm_request_random_number() function. See Secure services. This just gives you entropy, and then you can use a pure SW library of your preference for the rest.

    Einar

Related