• State Verified Answer
  • Replies 6 replies
  • Subscribers 62 subscribers
  • Views 1788 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 252927
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to install certificates in production?

Yusuke

I would like to flash certificates in production.

My plan is

First, flash an app for installing parameter like client id using nvs and certificates.

Then, flash a production app. This app reads the parameters and operates mqtt using the client ID and certificates

When I install aws_fota app, this warning is displayed. So it's not good idea to use provision_certificates function.

#warning Not for prodcution use. This should only be used once to provisioning the certificates please deselect the provision certificates configuration and compile again.

Also, this link recommends to use LTE Link monitor, but I guess mistakes easily occur in copying and pasting certificates.

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/aws_fota/README.html#creating-a-thing-in-aws-iot

Another option is to use AT%CMNG by at_cmd.c, but I'm not sure this can avoid the above security risk.

Which option is suitable for production? 

Thank you.

  • 0

    Hello,

     

    Which option is suitable for production? 

     I'm not entirely sure about this, so I'm going to ask internally. Some delay is to be expected because of reduced staffing.

  • 0
    When I install aws_fota app, this warning is displayed. So it's not good idea to use provision_certificates function.

     The reason why you shouldn't do this in production is because you don't want the certificates to be easily accessible to an attacker. You want to avoid storing the certificates in NVS or application flash.

     

    Which option is suitable for production? 

     You should use a provision image that stores everything you need in NVS except for the certificates, and that can receive AT commands. Then you can flash the certificates using this command.

    Did that answer your question?

  • 0 in reply to Hakon

    Thank you for your reply.

    >You should use a provision image that stores everything you need in NVS except for the certificates, and that can receive AT commands

    Unfortunately ,in my custom board, UART is not used and so I can't use at_client and serial_lte_modem apps. 

    >You want to avoid storing the certificates in NVS or application flash.

    Is it ok to install certificates by provision_certificates in a certificate-installing app, delete the app by nrfjprog -e, and install a production app. Then, the certificates info shouldn't be stored in app flash, while modem can store it. As the board doesn't have UART, this is the only way I came up with.

  • +1 in reply to Yusuke
    Yusuke said:
    Is it ok to install certificates by provision_certificates in a certificate-installing app, delete the app by nrfjprog -e, and install a production app. Then, the certificates info shouldn't be stored in app flash, while modem can store it. As the board doesn't have UART, this is the only way I came up with.

     This should be fine. As long as there are no traces of the certificates in memory that can be accessed unauthorized then there shouldn't be anything to worry about.

Related