Using %KEYGEN to generate CSR with the ECC private key

RE: Using %KEYGEN to generate CSR with the ECC private key

Håkon Alseth — Fri, 06 Aug 2021 08:39:33 GMT

Hi,

My apologies for the long wait.

[quote user="LaKy"]Did we do the best or we could do better?[/quote]

I am sorry, but we do not have any suggestions wrt. generating a small footprint cert, unfortunately.

Kind regards,

Håkon

RE: Using %KEYGEN to generate CSR with the ECC private key

Lukáš — Fri, 06 Aug 2021 07:43:51 GMT

Hi Håkon, any thoughts on this?

RE: Using %KEYGEN to generate CSR with the ECC private key

Lukáš — Thu, 15 Jul 2021 06:55:33 GMT

To make it even simpler I created an OpenSSL sequence of commands that will get into the final certificate size of ~350 bytes. You have to rename the CA certs and client certificate of course.

openssl ecparam -name secp256k1 -genkey -noout -out secp256k1_prv.der -outform DER
openssl ec -in secp256k1_prv.der -inform der -pubout -out secp256k1_pub.der -outform DER  
openssl req -key secp256k1_prv.der -keyform der -out CSR.csr -new
python create_ca_cert.py -c CZ
python create_device_credentials.py -ca test_ca.pem -ca_key test_prv.pem -csr CSR.csr -dv 2000
openssl x509 -outform der -in client_crt.pem -out client_crt.der

RE: Using %KEYGEN to generate CSR with the ECC private key

Lukáš — Wed, 14 Jul 2021 08:26:51 GMT

Hi Håkon, thanks for the reply. The keygen now works fine and everything makes sense. I have one more question for you and it is about ECC client certificate sizes because we plan to use them for DTLS.

Do you have any tips on how to make the ECC client certificate as small as possible? Here is what I did.

Generate the corresponding public and private key pair using ECC secp256k1 curve (either with %KEYGEN or openssl).
Create the CSR and fill only the CN to reduce the final certificate size.
Generate the minimum CA cert with python create_ca_cert.py -c CZ
Create the client certificate with python create_device_credentials.py using CA Cert and CSR
Convert the client certificate from PEM to DER (binary format) to reduce its final size.

The result:

Client certificate in DER format - 351 bytes
Client certificate in PEM format - 530 bytes
Client public key size in PEM format - 178 bytes
Client private key size in PEM format - 228 bytes
Client CSR size - 436 bytes
CA certificate in PEM format - 576 bytes
CA certificate private key in PEM format - 241 bytes

Se the smallest certificate for DTLS we have been able to get is 351 bytes. Did we do the best or we could do better?

Thanks,

Lukas

RE: Using %KEYGEN to generate CSR with the ECC private key

Håkon Alseth — Wed, 23 Jun 2021 07:09:48 GMT

Hi,

[quote user=""]as discussed in the email with Joakim T., could you please provide us a sample of how to use AT command %KEYGEN to generate CSR using the ECC private key? If you would provide us the whole process of generation example CA with ECC instead of RSA - that would be great.[/quote]

My apologies, this section of the AT commands is not fully documented, which I've reported internally.

You can generate a key based on the %KEYGEN at command:

AT%KEYGEN=<sec_tag>,2,0,"L=<YourLocation>,C=<YourCommonName>,O=<YourOrg>"

output from this AT command can be converted into a more recognizable format using this python script:

https://github.com/nRFCloud/utils/tree/master/python/modem-firmware-1.3%2B

The above script(s) also provide example usage.

Kind regards,

Håkon