• State Not Answered
  • Replies 3 replies
  • Subscribers 89 subscribers
  • Views 1183 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 288841
Options

Certificate generation with %KEYGEN

Eblancha

Hi, 

For an MQTT application, we need to generate client certificates in the Nordic (nRF9160) to simplify the production phase. Ideally we want to push a CA certificate with the command %CMNG to a security tag and call a command to generate a client certificate signed by this CA certificate. 

1. I see that an AT command exists for key generation (%KEYGEN) that can create a certificate signing request (CSR). Are there or will be a command to generate a client certificate from this CSR?  If not, do you recommend to use the command to generate the CSR and do the signing ourselves in the code or to do everything ourselves ? We looked at the library MBEDTLS for that. 

2. It is recommended to have 2 CA certificates if one is revoked. But only one CA certificate is associate to a security tag. Do you have a way do deal with lists of CA certificate ? Or do we need to change the CA certificate in the corresponding tag if it is not valid anymore? 
Also, it looks like there is not a specific error returned for an invalid CA certificate during the mqtt connection. There is an error that could correspond to various problems. Am I right ? If yes, how can we know that a new CA certificate is needed ? 

Thank you in advanced,

Elisa

  • 0

    Hello Elisa,

    I need to check some details around your questions with our modem team. I will come back to you as soon as I have an update to share.

    Regards,

    Markus

  • 0

    Hello Elisa,

    2. It is recommended to have 2 CA certificates if one is revoked. But only one CA certificate is associate to a security tag. Do you have a way do deal with lists of CA certificate ? Or do we need to change the CA certificate in the corresponding tag if it is not valid anymore? 
    Also, it looks like there is not a specific error returned for an invalid CA certificate during the mqtt connection. There is an error that could correspond to various problems. Am I right ? If yes, how can we know that a new CA certificate is needed ? 

    Several Root CAs can be stored to the modem file system. Security tags are used to separate the CA when opening a TLS connection. An application may open a TLS connection using the CA in any security tag.

    All internal TLS specific socket API error codes are translated to errno ECONNREFUSED. There is no errno for these cases that is specific enough to distinguish why connect() failed. The best the application could do is provide more than one security tag.

    Regards,

    1. I see that an AT command exists for key generation (%KEYGEN) that can create a certificate signing request (CSR). Are there or will be a command to generate a client certificate from this CSR?  If not, do you recommend to use the command to generate the CSR and do the signing ourselves in the code or to do everything ourselves ? We looked at the library MBEDTLS for that. 

    I will come back to you on this.

    Regards,

    Markus

  • 0

    Hello again Elisa,

    1. I see that an AT command exists for key generation (%KEYGEN) that can create a certificate signing request (CSR). Are there or will be a command to generate a client certificate from this CSR?  If not, do you recommend to use the command to generate the CSR and do the signing ourselves in the code or to do everything ourselves ? We looked at the library MBEDTLS for that. 

    We have some guidance available in the following links:

    https://docs.nrfcloud.com/Guides/GettingStarted/Devices/#securely-generating-credentials-on-the-nrf9160
    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/lwm2m_client/provisioning.html

    Another alternative would be to use openssl, as demonstrated below.

    # Generate root certificate for my devices

openssl genrsa -out ca.key 2048
'openssl req -new -x509 -key ca.key -out ca.crt -batch

    Then use AT commands to generate CSR:

    AT%KEYGEN={SEC_TAG},2,0

    Then from the output, take all until the first dot. Run it through BASE64URL decoder and save it to csr.der.

    Then generate the client certificate:

    # Covert DER to PEM

openssl req -inform der -in csr.der -out csr.pem

# Generate certificate

openssl x509 -req -in csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial

    Then the produced certificate is written back to the modem:

    AT%CMNG=0,{SEC_TAG},1,"{crt}"

    I hope I could answer your questions to your satisfaction :-)

    Regards,

    Markus

Related
Terms of service