So in the MQTT example the following function is used to write the CA certificate to the modem so a TLS connection can be setup.
err = modem_key_mgmt_write(CONFIG_MQTT_TLS_SEC_TAG,
MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
CA_CERTIFICATE,
strlen(CA_CERTIFICATE));
if (err) {
LOG_ERR("Failed to provision CA certificate: %d", err);
return err;
}
In our code/TLS setup we want to use Client certificates aswell that is why we are using the following setup.
#if defined(CONFIG_NRF_MODEM_LIB) && defined(CONFIG_MODEM_KEY_MGMT)
err = modem_key_mgmt_write(CONFIG_MQTT_TLS_SEC_TAG,
MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
CA_CERTIFICATE,
strlen(CA_CERTIFICATE));
if (err) {
LOG_ERR("Failed to provision CA certificate: %d", err);
return err;
}
err = modem_key_mgmt_write(CONFIG_MQTT_TLS_SEC_TAG,
MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT,
CLIENT_PRIVATE_KEY,
strlen(CLIENT_PRIVATE_KEY));
if (err) {
LOG_ERR("Failed to register private key: %d", err);
return err;
}
err = modem_key_mgmt_write(CONFIG_MQTT_TLS_SEC_TAG,
MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT,
CLIENT_PUBLIC_CERTIFICATE,
strlen(CLIENT_PUBLIC_CERTIFICATE));
if (err) {
LOG_ERR("Failed to register public certificate: %d", err);
return err;
}
The problem is that this writes the certificate on startup to the modem. Making it debugable from outside. Thats why you have a very large warning in the AWS_FOTA example saying that this is not best practice. But if I turn off debugging and make memory and all that stuff non-readable is it secure again? If not what is best practise to use if I dont wish to do multistage programming in which I write the TLS first and then use the modem_key_mgmt_read function. I would love to know!
