• State Not Answered
  • Replies 2 replies
  • Subscribers 75 subscribers
  • Views 1004 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 285973
Options

How to use multiple CA (Certificate Authorities) on one device

maksimsterjohins

Hello everyone!

I am using my nrf9160dk to develop a system that connects to Azure IoT Hub. My firmware code is based on provided azure_iot_hub sample. According to azure_iot_hub sample tutorial, my NRF9160 uses BaltimoreCyberTrustRoot Certificate Authority (CA) for secure connection to MS Azure IoT Hub.

According to Microsoft official post, this summer (2022) Azure is going to migrate from using Baltimore CyberTrust Root issued certificates to DigiCert Global G2 issued certificates. Quote: "After the migration is complete, devices that don't have DigiCert Global G2 won't be able to connect to Azure IoT anymore. You must make certain your IoT devices include the DigiCert Global G2 root cert by June 1, 2022 to ensure your devices can connect after this change.".

My idea was to upload 2 certificates - the old Baltimore, and the new DigiCert one, so that these two certs can overlap each other by measures of time. The issue that I have came across with is that I am not able to upload both certificates to my nrf9160 using nRF Connect LTE Link Monitor. I am able to upload the Baltimore certificate and the board successfully connects to Azure. However, if I then upload the new DigiCert certificate, the board looses it's ability to connect Azure (looks like the CA cert get overwritten instead of adding additional CA).

Does anyone has an idea of how can I keep both old and new certificates on my board?

Max

Parents
  • 0

    Hello Max, 

    Yes, you should be able to upload 2 certificates just make sure to use another security tag. In your Azure IoT Hub's prj.conf it is configured to sec tag 10

    # Change the security tag to the tag where Azure IoT Hub certificates
# are provisioned
CONFIG_AZURE_IOT_HUB_SEC_TAG=10

    You will need to provision new certificates to another sec tag and build your project with this tag.

    You can read more about this in the Modem Key Management documentation.

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Hi Øyvind,

    Each sectag holds a key, cert, and a CA. For the MS Azure case, they are recommending two CA roots, one as a backup. I realize the sectag tells the connection about the key/cert to offer to the server to authenticate, but the CA is validated in the other direction. Does sectag matter for the CA? For example, if we have the following,

    sectag=10

    key, cert, CA1

    sectag=11

    CA2

    Can we make our connection on sectag=10 always and the offered cert from the server will be checked with CA1 and CA2 for a match, or are we required to set sectag=11 to have that checked, as follows.

    sectag=10

    key, cert, CA1

    sectag=11

    key, cert, CA1

    then, connect with sectag=10 and if it fails, try sectag=11? It would be nice to have the CAs checked regardless of sectag setting on the socket connect.

    Thanks,

    Steve

Reply
  • 0 in reply to Øyvind

    Hi Øyvind,

    Each sectag holds a key, cert, and a CA. For the MS Azure case, they are recommending two CA roots, one as a backup. I realize the sectag tells the connection about the key/cert to offer to the server to authenticate, but the CA is validated in the other direction. Does sectag matter for the CA? For example, if we have the following,

    sectag=10

    key, cert, CA1

    sectag=11

    CA2

    Can we make our connection on sectag=10 always and the offered cert from the server will be checked with CA1 and CA2 for a match, or are we required to set sectag=11 to have that checked, as follows.

    sectag=10

    key, cert, CA1

    sectag=11

    key, cert, CA1

    then, connect with sectag=10 and if it fails, try sectag=11? It would be nice to have the CAs checked regardless of sectag setting on the socket connect.

    Thanks,

    Steve

Children
No Data
Related
Terms of service