• State Not Answered
  • Replies 2 replies
  • Subscribers 68 subscribers
  • Views 499 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 287923
Options

Provide client certificate for mutual authentification with lwm2m server

MehdiChelouah

I'm trying to make a server/client communication with a lwm2m server and DTLS authentification.

In the first place, I used Pre Shared Key that i provided with the modem key management library which work very well.

But now i want to use DTLS with certificate. However, as you can see, there is no credential type corresponding to client certificate.

I'd like to know how i can provide a client certificate for a mutual authentification (hard coded)

  • 0

    Hello, 

    A certificate is just a public key, and thus by definition public. A client certificate is no different - just a public key by a person, machine or other "client", that is signed by some authority.

    What certificates does your server provide?

    Please see the following limitations of TLS in our modem (v1.3.1)

    *** Limitations
***************
- TLS/DTLS
    - Up to three simultaneous TLS/DTLS connections are possible.
    - Maximum server certificate chain size has a limit of 4kB.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.
    - DTLS supports PSK authentication only.
    - 2kB secure socket buffer size.
- Maximum number of raw sockets is 4.
- It is recommended to free the modem resources by closing unused network sockets.
- User plane data is supported in Cat M1 mode only.
- TLS is not supported when socket is configured to TCP server mode.
- Support for Non-IP Data Delivery (NIDD). Feature is verified only for NB-IoT and LTE-M is not
  supported.
- The amount of ownership keys is restricted to one. Multiple instances are not allowed. Starting
  from mfw_nrf9160_1.3.1, it is not allowed to write ownership key with AT%CMNG AT command. As this
  change introduces incompatibility between older modem firmware versions, it is recommended to pay
  special attention to this change.
- Downgrading to older modem firmware
    - Keys and certificates written with credential storage management AT commands might get erased
      if older than mfw_nrf9160_1.3.0 modem firmware version is downgraded to a device. If
      downgrading, it is compulsory to check existence of keys and possibly re-write erased keys and
      certificates.
    - AT command configurations written and stored to a non-volatile memory will get erased from the
      memory if old modem firmware is downgraded to a device and that old version does not support
      the AT commands.

     Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    My server (a leshan server) provide a x509 encoded certificate that the client need to trust in order to accept DTLS connection with this server.

    Also, the server need the client to provide a certificate whose CN = Endpoint.

    But, as i can see "DTLS supports PSK authentication only." 

Related