Using %KEYGEN to generate CSR with the ECC private key

Hi,

as discussed in the email with Joakim T., could you please provide us a sample of how to use AT command %KEYGEN to generate CSR using the ECC private key? If you would provide us the whole process of generation example CA with ECC instead of RSA - that would be great.

My apologies, this section of the AT commands is not fully documented, which I've reported internally.

You can generate a key based on the %KEYGEN at command:

AT%KEYGEN=<sec_tag>,2,0,"L=<YourLocation>,C=<YourCommonName>,O=<YourOrg>"

output from this AT command can be converted into a more recognizable format using this python script:

https://github.com/nRFCloud/utils/tree/master/python/modem-firmware-1.3%2B

The above script(s) also provide example usage.

Kind regards,

Håkon

Hi Håkon, thanks for the reply. The keygen now works fine and everything makes sense. I have one more question for you and it is about ECC client certificate sizes because we plan to use them for DTLS.

Do you have any tips on how to make the ECC client certificate as small as possible? Here is what I did.

1. Generate the corresponding public and private key pair using ECC secp256k1 curve (either with %KEYGEN or openssl).
2. Create the CSR and fill only the CN to reduce the final certificate size.
3. Generate the minimum CA cert with python create_ca_cert.py -c CZ 
4. Create the client certificate with python create_device_credentials.py using CA Cert and CSR
5. Convert the client certificate from PEM to DER (binary format) to reduce its final size.

The result:

• Client certificate in DER format - 351 bytes
• Client certificate in PEM format - 530 bytes
• Client public key size in PEM format - 178 bytes
• Client private key size in PEM format - 228 bytes
• Client CSR size - 436 bytes
• CA certificate in PEM format - 576 bytes
• CA certificate private key in PEM format - 241 bytes

Se the smallest certificate for DTLS we have been able to get is 351 bytes. Did we do the best or we could do better?

Thanks,

Lukas

To make it even simpler I created an OpenSSL sequence of commands that will get into the final certificate size of ~350 bytes. You have to rename the CA certs and client certificate of course.

openssl ecparam -name secp256k1 -genkey -noout -out secp256k1_prv.der -outform DER
openssl ec -in secp256k1_prv.der -inform der -pubout -out secp256k1_pub.der -outform DER  
openssl req -key secp256k1_prv.der -keyform der -out CSR.csr -new
python create_ca_cert.py -c CZ
python create_device_credentials.py -ca test_ca.pem -ca_key test_prv.pem -csr CSR.csr -dv 2000
openssl x509 -outform der -in client_crt.pem -out client_crt.der

To make it even simpler I created an OpenSSL sequence of commands that will get into the final certificate size of ~350 bytes. You have to rename the CA certs and client certificate of course.

openssl ecparam -name secp256k1 -genkey -noout -out secp256k1_prv.der -outform DER
openssl ec -in secp256k1_prv.der -inform der -pubout -out secp256k1_pub.der -outform DER  
openssl req -key secp256k1_prv.der -keyform der -out CSR.csr -new
python create_ca_cert.py -c CZ
python create_device_credentials.py -ca test_ca.pem -ca_key test_prv.pem -csr CSR.csr -dv 2000
openssl x509 -outform der -in client_crt.pem -out client_crt.der