How to Store TLS Certificates on the nRF5340?

Question

What is the best method to store TLS certificates on the nRF5340? I have seen 2 options, but I'm not sure what is best practice and what does work. 
 If I store the certificate on the SD card we can update the certificate without reflashing the board. Is this frowned upon even for development hardware? 
 
 SD Card - store .der cert file on the SD card
 
 Read the text from the .der cert file.

Compile into the hex like the http_client sample does.

Sigurd Hellesvik · Accepted Answer

Hi 
 For deployment, I would not recommend saving the keys to a SD Card. This is due to two things: It is likely easier for someone to just unplug the SD card and walk away with it. It is a lot easier to read data from a SD card than from the nRF5340. 
 For development, no attacker should have access your device, and where you store your keys should not be to important. However, since you develop for testing your product, an argument can be made that it is good to test for the case you will do in deployment as well. 
 
 All this being said: To store the Certificate safely, you should consider saving it to a secure storage instead of have it on a SD card or compiled into the hex file. This will be safer, as reading access will be more restricted. See the Persistent key storage sample for an example. How securely you need to save store your certificates is of course dependent on your use-case in the end. 
 Did this answer your question? 
 Regards, Sigurd Hellesvik

How to Store TLS Certificates on the nRF5340?

Top Replies