• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 92 subscribers
  • Views 716 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 285674
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cloud TLS Certificates Deleted Themselves

jdorn

Hello,

I have a custom board using an nRF9160 chip. It connects to the Nordic Cloud. Modem firmware 1.3.1. SDK 1.6.1.

I have seen an issue 3 times now over ~6 months of development. My device will automatically delete the SSL/TLS certificates used to provision the device to the Nordic Cloud.

when I attempt to connect to the cloud, I will get the CLOUD_EVT_CONNECTING event twice, and then my system will hang.

I have two questions that I would like to solve: 1) how is this erasing happening, and 2) how can I stop it in the future.

Parents
  • 0

    Hello, 

    I've never heard of an issue like your describe. Can you please provide log output when this occurs? Also, please enable debug logs to provide more information of what is going on in the background. Is this your own custom project? 

    We might also need a modem trace of this issue. 

    From the modem firmware compatibility matrix, the modem fw 1.3.1 is not compatible with nRF Connect SDK v1.6.1. But I think it should either way.

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    This is a custom project.

    I have not actually seen this error occur, only the results of this error. And I am not able to reproduce it. it happens randomly, months apart. It has happened on different prototypes.

    Is it possible that there is a limit to the number of times the certificate section can be written to before the storage location cleans itself? I am using modem_key_mgmt_write and modem_key_mgmt_delete every time I run my code.

    or is there potentially some kind of hardware security feature that could be triggered by ESD?

  • +1 in reply to jdorn

    Hello,

    jdorn said:
    I am using modem_key_mgmt_write and modem_key_mgmt_delete every time I run my code.

    That is most likely the reason for your issue. There is no need to do this every time you run the code, only once when the credentials need to change. Have a look at how the nRF9160: HTTPS Client handles the certification provisioning

    /* Provision certificate to modem */
int cert_provision(void)
{
	int err;
	bool exists;
	int mismatch;

	/* It may be sufficient for you application to check whether the correct
	 * certificate is provisioned with a given tag directly using modem_key_mgmt_cmp().
	 * Here, for the sake of the completeness, we check that a certificate exists
	 * before comparing it with what we expect it to be.
	 */
	err = modem_key_mgmt_exists(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, &exists);
	if (err) {
		printk("Failed to check for certificates err %d\n", err);
		return err;
	}

	if (exists) {
		mismatch = modem_key_mgmt_cmp(TLS_SEC_TAG,
					      MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
					      cert, strlen(cert));
		if (!mismatch) {
			printk("Certificate match\n");
			return 0;
		}

		printk("Certificate mismatch\n");
		err = modem_key_mgmt_delete(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN);
		if (err) {
			printk("Failed to delete existing certificate, err %d\n", err);
		}
	}

	printk("Provisioning certificate\n");

	/*  Provision certificate to the modem */
	err = modem_key_mgmt_write(TLS_SEC_TAG,
				   MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
				   cert, sizeof(cert) - 1);
	if (err) {
		printk("Failed to provision certificate, err %d\n", err);
		return err;
	}

	return 0;
}

    This function checks if certificates are available in given security tag, compares it, and deletes and write new if needed. 

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Yea, That makes sense. I will close this ticket. If the issue happens again I will open a new one.

    Thank you for  your help!

Reply Children
No Data
Related
Terms of service