Cloud TLS Certificates Deleted Themselves

RE: Cloud TLS Certificates Deleted Themselves

jdorn — Mon, 14 Mar 2022 18:17:04 GMT

Yea, That makes sense. I will close this ticket. If the issue happens again I will open a new one.

Thank you for your help!

RE: Cloud TLS Certificates Deleted Themselves

Øyvind — Mon, 14 Mar 2022 07:56:40 GMT

Hello,

[quote user="jdorn"]I am using modem_key_mgmt_write and modem_key_mgmt_delete every time I run my code.[/quote]

That is most likely the reason for your issue. There is no need to do this every time you run the code, only once when the credentials need to change. Have a look at how the nRF9160: HTTPS Client handles the certification provisioning

/* Provision certificate to modem */
int cert_provision(void)
{
	int err;
	bool exists;
	int mismatch;

	/* It may be sufficient for you application to check whether the correct
	 * certificate is provisioned with a given tag directly using modem_key_mgmt_cmp().
	 * Here, for the sake of the completeness, we check that a certificate exists
	 * before comparing it with what we expect it to be.
	 */
	err = modem_key_mgmt_exists(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, &exists);
	if (err) {
		printk("Failed to check for certificates err %d\n", err);
		return err;
	}

	if (exists) {
		mismatch = modem_key_mgmt_cmp(TLS_SEC_TAG,
					      MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
					      cert, strlen(cert));
		if (!mismatch) {
			printk("Certificate match\n");
			return 0;
		}

		printk("Certificate mismatch\n");
		err = modem_key_mgmt_delete(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN);
		if (err) {
			printk("Failed to delete existing certificate, err %d\n", err);
		}
	}

	printk("Provisioning certificate\n");

	/*  Provision certificate to the modem */
	err = modem_key_mgmt_write(TLS_SEC_TAG,
				   MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,
				   cert, sizeof(cert) - 1);
	if (err) {
		printk("Failed to provision certificate, err %d\n", err);
		return err;
	}

	return 0;
}

This function checks if certificates are available in given security tag, compares it, and deletes and write new if needed.

Kind regards,
Øyvind

RE: Cloud TLS Certificates Deleted Themselves

jdorn — Fri, 11 Mar 2022 14:36:06 GMT

This is a custom project.

I have not actually seen this error occur, only the results of this error. And I am not able to reproduce it. it happens randomly, months apart. It has happened on different prototypes.

Is it possible that there is a limit to the number of times the certificate section can be written to before the storage location cleans itself? I am using modem_key_mgmt_write and modem_key_mgmt_delete every time I run my code.

or is there potentially some kind of hardware security feature that could be triggered by ESD?

RE: Cloud TLS Certificates Deleted Themselves

Øyvind — Fri, 11 Mar 2022 12:34:06 GMT

Hello,

I've never heard of an issue like your describe. Can you please provide log output when this occurs? Also, please enable debug logs to provide more information of what is going on in the background. Is this your own custom project?

We might also need a modem trace of this issue.

From the modem firmware compatibility matrix, the modem fw 1.3.1 is not compatible with nRF Connect SDK v1.6.1. But I think it should either way.

Kind regards,
Øyvind