https://devzone.nordicsemi.com/f/nordic-q-a/87774/certificate-generation-with-keygenHi, For an MQTT application, we need to generate client certificates in the Nordic (nRF9160) to simplify the production phase. Ideally we want to push a CA certificate with the command %CMNG to a security tag and call a command to generate a clienten-USTelligent Community 13Fri, 13 May 2022 08:56:40 GMThttps://devzone.nordicsemi.com/thread/367768?ContentTypeID=1Fri, 13 May 2022 08:56:40 GMT137ad170-7792-4731-bb38-c0d22fbe4515:5770617f-c603-4460-aa3a-a4916d081a4dAlbrecht Markus Schellenberger<p style="line-height:100%;margin-bottom:0;" lang="en-GB">Hello again Elisa,<br /><br /></p> [quote user=""]1. I see that an AT command exists for key generation (%KEYGEN) that can create a certificate signing request (CSR). Are there&nbsp;or will be a command to generate a client certificate from this CSR?&nbsp; If not, do you recommend to use the command to generate the CSR and do the signing ourselves in the code or to do everything ourselves ? We looked at the library MBEDTLS for that.&nbsp;[/quote] <p style="line-height:100%;margin-bottom:0;" lang="en-GB">We have some guidance available in the following links:<br /><br /><a href="https://docs.nrfcloud.com/Guides/GettingStarted/Devices/#securely-generating-credentials-on-the-nrf9160" rel="noopener noreferrer" target="_blank">https://docs.nrfcloud.com/Guides/GettingStarted/Devices/#securely-generating-credentials-on-the-nrf9160</a><br /> <a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/lwm2m_client/provisioning.html" rel="noopener noreferrer" target="_blank">https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/lwm2m_client/provisioning.html<br /><br /></a>Another alternative would be to use <a href="https://www.openssl.org/">openssl</a>, as demonstrated below.<br /><br /><pre class="ui-code" data-mode="text"># Generate root certificate for my devices openssl genrsa -out ca.key 2048 &#39;openssl req -new -x509 -key ca.key -out ca.crt -batch </pre></p> <p>Then use AT commands to generate CSR:<br /><pre class="ui-code" data-mode="text">AT%KEYGEN={SEC_TAG},2,0</pre></p> <p>Then from the output, take all until the first dot. Run it through BASE64URL decoder and save it to <b>csr.der.</b></p> <p>Then generate the client certificate:<br /><pre class="ui-code" data-mode="text"># Covert DER to PEM openssl req -inform der -in csr.der -out csr.pem # Generate certificate openssl x509 -req -in csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial </pre></p> <p style="line-height:100%;margin-bottom:0;" lang="en-GB">Then the produced certificate is written back to the modem:<br /><br /><pre class="ui-code" data-mode="text">AT%CMNG=0,{SEC_TAG},1,&quot;{crt}&quot;</pre></p> <p style="line-height:100%;margin-bottom:0;" lang="en-GB">I hope I could answer your questions to your satisfaction :-)<br /><br />Regards,</p> <p style="line-height:100%;margin-bottom:0;" lang="en-GB">Markus</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/367506?ContentTypeID=1Thu, 12 May 2022 03:54:26 GMT137ad170-7792-4731-bb38-c0d22fbe4515:762be288-67be-4b59-95cd-7f7fc8eeea1cAlbrecht Markus Schellenberger<p>Hello Elisa,</p> [quote user=""]2. It&nbsp;is recommended to have 2 CA certificates if one is revoked. But only one CA certificate is associate to a security tag. Do you have a way do deal with lists of CA certificate ? Or do we need to change the CA certificate in the corresponding tag if it is not valid anymore?&nbsp;<br />Also, it&nbsp;looks like there is not a specific error returned for an invalid CA certificate during the mqtt connection. There is an error&nbsp;that could correspond to various problems. Am I right ? If yes, how can we know that a new CA certificate is needed ?&nbsp;[/quote] <p style="line-height:100%;margin-bottom:0;" lang="en-GB">Several Root CAs can be stored to the modem file system. Security tags are used to separate the CA when opening a TLS connection. An application may open a TLS connection using the CA in any security tag.<br /><br />All internal TLS specific socket API error codes are translated to errno <a href="https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.7.1/lib/libc/minimal/include/errno.h#L96">ECONNREFUSED</a>. There is no errno for these cases that is specific enough to distinguish why connect() failed. The best the application could do is provide more than one security tag.<br /><br />Regards,</p> [quote user=""]1. I see that an AT command exists for key generation (%KEYGEN) that can create a certificate signing request (CSR). Are there&nbsp;or will be a command to generate a client certificate from this CSR?&nbsp; If not, do you recommend to use the command to generate the CSR and do the signing ourselves in the code or to do everything ourselves ? We looked at the library MBEDTLS for that.&nbsp;[/quote] <p style="line-height:100%;margin-bottom:0;" lang="en-GB">I will come back to you on this.<br /><br />Regards,</p> <p style="line-height:100%;margin-bottom:0;" lang="en-GB">Markus</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/367371?ContentTypeID=1Wed, 11 May 2022 11:02:42 GMT137ad170-7792-4731-bb38-c0d22fbe4515:dd1df585-f639-4359-86ea-6eee77e9f51fAlbrecht Markus Schellenberger<p style="line-height:100%;margin-bottom:0;" lang="en-GB">Hello Elisa,<br /><br />I need to check some details around your questions with our modem team. I will come back to you as soon as I have an update to share.<br /><br />Regards,</p> <p style="line-height:100%;margin-bottom:0;" lang="en-GB">Markus</p><div style="clear:both;"></div>