• State Verified Answer
  • Replies 5 replies
  • Subscribers 87 subscribers
  • Views 1435 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 272033
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Using %KEYGEN to generate CSR with the ECC private key

Lukáš

Hello,

as discussed in the email with Joakim T., could you please provide us a sample of how to use AT command %KEYGEN to generate CSR using the ECC private key? If you would provide us the whole process of generation example CA with ECC instead of RSA - that would be great.

Thanks,

Lukas

Parents
  • 0

    Hi,

     

    as discussed in the email with Joakim T., could you please provide us a sample of how to use AT command %KEYGEN to generate CSR using the ECC private key? If you would provide us the whole process of generation example CA with ECC instead of RSA - that would be great.

    My apologies, this section of the AT commands is not fully documented, which I've reported internally.

      

    You can generate a key based on the %KEYGEN at command:

    AT%KEYGEN=<sec_tag>,2,0,"L=<YourLocation>,C=<YourCommonName>,O=<YourOrg>"

     

    output from this AT command can be converted into a more recognizable format using this python script:

    https://github.com/nRFCloud/utils/tree/master/python/modem-firmware-1.3%2B

     

    The above script(s) also provide example usage.

     

    Kind regards,

    Håkon

  • +1 in reply to Håkon Alseth

    Hi Håkon, thanks for the reply. The keygen now works fine and everything makes sense. I have one more question for you and it is about ECC client certificate sizes because we plan to use them for DTLS.

    Do you have any tips on how to make the ECC client certificate as small as possible? Here is what I did.

    1. Generate the corresponding public and private key pair using ECC secp256k1 curve (either with %KEYGEN or openssl).
    2. Create the CSR and fill only the CN to reduce the final certificate size.
    3. Generate the minimum CA cert with python create_ca_cert.py -c CZ 
    4. Create the client certificate with python create_device_credentials.py using CA Cert and CSR
    5. Convert the client certificate from PEM to DER (binary format) to reduce its final size.

    The result:

    • Client certificate in DER format - 351 bytes
    • Client certificate in PEM format - 530 bytes
    • Client public key size in PEM format - 178 bytes
    • Client private key size in PEM format - 228 bytes
    • Client CSR size - 436 bytes
    • CA certificate in PEM format - 576 bytes
    • CA certificate private key in PEM format - 241 bytes

    Se the smallest certificate for DTLS we have been able to get is 351 bytes. Did we do the best or we could do better?

    Thanks,

    Lukas

Reply
  • +1 in reply to Håkon Alseth

    Hi Håkon, thanks for the reply. The keygen now works fine and everything makes sense. I have one more question for you and it is about ECC client certificate sizes because we plan to use them for DTLS.

    Do you have any tips on how to make the ECC client certificate as small as possible? Here is what I did.

    1. Generate the corresponding public and private key pair using ECC secp256k1 curve (either with %KEYGEN or openssl).
    2. Create the CSR and fill only the CN to reduce the final certificate size.
    3. Generate the minimum CA cert with python create_ca_cert.py -c CZ 
    4. Create the client certificate with python create_device_credentials.py using CA Cert and CSR
    5. Convert the client certificate from PEM to DER (binary format) to reduce its final size.

    The result:

    • Client certificate in DER format - 351 bytes
    • Client certificate in PEM format - 530 bytes
    • Client public key size in PEM format - 178 bytes
    • Client private key size in PEM format - 228 bytes
    • Client CSR size - 436 bytes
    • CA certificate in PEM format - 576 bytes
    • CA certificate private key in PEM format - 241 bytes

    Se the smallest certificate for DTLS we have been able to get is 351 bytes. Did we do the best or we could do better?

    Thanks,

    Lukas

Children
Related
Terms of service