Provide client certificate for mutual authentification with lwm2m server

I'm trying to make a server/client communication with a lwm2m server and DTLS authentification.

In the first place, I used Pre Shared Key that i provided with the modem key management library which work very well.

But now i want to use DTLS with certificate. However, as you can see, there is no credential type corresponding to client certificate.

I'd like to know how i can provide a client certificate for a mutual authentification (hard coded)

Parents
  • Hello, 

    A certificate is just a public key, and thus by definition public. A client certificate is no different - just a public key by a person, machine or other "client", that is signed by some authority.

    What certificates does your server provide?

    Please see the following limitations of TLS in our modem (v1.3.1)

    *** Limitations
    ***************
    - TLS/DTLS
        - Up to three simultaneous TLS/DTLS connections are possible.
        - Maximum server certificate chain size has a limit of 4kB.
        - Server certificate expiry time is not verified.
        - pkcs#8 is not supported.
        - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
          credentials as memory area reserved for credentials may be a limiting factor as well.
        - DTLS supports PSK authentication only.
        - 2kB secure socket buffer size.
    - Maximum number of raw sockets is 4.
    - It is recommended to free the modem resources by closing unused network sockets.
    - User plane data is supported in Cat M1 mode only.
    - TLS is not supported when socket is configured to TCP server mode.
    - Support for Non-IP Data Delivery (NIDD). Feature is verified only for NB-IoT and LTE-M is not
      supported.
    - The amount of ownership keys is restricted to one. Multiple instances are not allowed. Starting
      from mfw_nrf9160_1.3.1, it is not allowed to write ownership key with AT%CMNG AT command. As this
      change introduces incompatibility between older modem firmware versions, it is recommended to pay
      special attention to this change.
    - Downgrading to older modem firmware
        - Keys and certificates written with credential storage management AT commands might get erased
          if older than mfw_nrf9160_1.3.0 modem firmware version is downgraded to a device. If
          downgrading, it is compulsory to check existence of keys and possibly re-write erased keys and
          certificates.
        - AT command configurations written and stored to a non-volatile memory will get erased from the
          memory if old modem firmware is downgraded to a device and that old version does not support
          the AT commands.

     Kind regards,
    Øyvind

  • My server (a leshan server) provide a x509 encoded certificate that the client need to trust in order to accept DTLS connection with this server.

    Also, the server need the client to provide a certificate whose CN = Endpoint.

    But, as i can see "DTLS supports PSK authentication only." 

Reply Children
No Data
Related