Modem Certificate Management from zephyr Shell(CLI)

RE: Modem Certificate Management from zephyr Shell(CLI)

RileyH — Tue, 24 Jan 2023 22:38:38 GMT

We are dealing with a similar issue. We are able to write the certificates/keys if we use the clear AT command (not running from within the shell). Once we enable the shell, the shell processing messes things up.

I am wondering if the command: at at_cmd_mode would help to start it up in AT mode only. I looks to me that's why this mode was created in the first place.

We haven't yet moved forward to the newer versions of the SDK but this might provide enough reasons to move forward.

Anybody have thoughts on this?

RE: Modem Certificate Management from zephyr Shell(CLI)

Håkon Alseth — Thu, 03 Nov 2022 18:47:47 GMT

Hi,

ERASE_ALL means that you're clearing the flash entirely. You can read more about the highlevel API here:

https://github.com/NordicSemiconductor/pynrfjprog/blob/8bdced58d100191b6acd70904a2dd08b4257bc78/pynrfjprog/docs/highlevelnrfjprogdll.h#L930-L967

[quote user="Waqar Ahmed"]At our production time .we are flashing the serial number in intel hex format like serial.hex file.
before that we are flashing through SES download file option.[/quote]

you can use nrfjprog directly for this purpose:

nrfjprog --program my_file.hex --sectorerase --verify

Kind regards,

Håkon

RE: Modem Certificate Management from zephyr Shell(CLI)

Waqar Ahmed — Wed, 02 Nov 2022 14:29:23 GMT

Hi Hakon,

I used this api.

At our production time .we are flashing the serial number in intel hex format like serial.hex file.
before that we are flashing through SES download file option.

I create a script in the following order
Flash serial number

program_options = HighLevel.ProgramOptions(
    erase_action=HighLevel.EraseAction.ERASE_NONE,
    reset=HighLevel.ResetAction.RESET_NONE,
    verify=HighLevel.VerifyAction.VERIFY_NONE
)
    nrfjprog_probe.program(fw_hex, program_options=program_options)

Then Flash at_Client app

with following program option

program_options = HighLevel.ProgramOptions(
    erase_action=HighLevel.EraseAction.ERASE_ALL,
    reset=HighLevel.ResetAction.SYSTEM_RESET,
    verify=HighLevel.VerifyAction.VERIFY_READ
)
and then certification that flash successfully
in the last stage i am going to flash the application firmware.

program_options = HighLevel.ProgramOptions(
    erase_action=HighLevel.EraseAction.ERASE_ALL,##not sured about this option
    reset= HighLevel.ResetAction.SYSTEM_RESET,
    verify=HighLevel.VerifyAction.VERIFY_READ
)


after completing above step I want to flash firmware again its erase serial number from nvs storage.

if we flash the application through SES or VS code its work properly.

Please guide about this issue.
Thanks

RE: Modem Certificate Management from zephyr Shell(CLI)

Waqar Ahmed — Wed, 26 Oct 2022 13:24:41 GMT

Thanks

I will check it

RE: Modem Certificate Management from zephyr Shell(CLI)

Håkon Alseth — Wed, 26 Oct 2022 13:18:51 GMT

Hi,

Have you looked at this post? It seems to match your requirement in terms of automating the credentials part:

Automating nRF91 TLS credential management via serial port AT commands

Note that you'll need to use AT_client (or set your device in AT mode somehow).

Kind regards,

Håkon

RE: Modem Certificate Management from zephyr Shell(CLI)

Waqar Ahmed — Wed, 26 Oct 2022 09:11:42 GMT

Hi,
Thanks

This mean \r \n part of cert format.

Is there any way to Paste the whole cert in Zephyr CLI(Shell).

if I paste the whole cert without removing \r \n CLI treat new line as new command.
as I see we can paste the whole cert in LTE link terminal and its work.

Thanks

RE: Modem Certificate Management from zephyr Shell(CLI)

Håkon Alseth — Wed, 26 Oct 2022 08:56:18 GMT

Hi,

[quote user="Waqar Ahmed"]

Using following C# code i am removing carriage return and new line for file

text.Replace("\n", " ").Replace("\r", " ");

[/quote]

the newline should still be there if you issue using either the C API's for issuing, or use the AT command.

Example when using the API's to issue a cert, it looks like this:

https://github.com/nrfconnect/sdk-nrf/blob/v2.1.1/samples/nrf9160/https_client/cert/DigiCertGlobalRootCA.pem#L7-L28

Here's a picture of how it looks when I issue the AWS Root CA from at_client:

You can see the \r\n is present on each line.

Kind regards,

Håkon

RE: Modem Certificate Management from zephyr Shell(CLI)

Waqar Ahmed — Wed, 26 Oct 2022 08:39:02 GMT

Just to verify the behavior here. The certificates are written OK, ie. AT%CMNG=... for CA/client/private keys are written successfully, but you cannot connect successfully?

Yes, The response is OK. after each command.

The Following format I am following with each command.
AT%CMNG=0,sec_tag,0,"text" CA

AT%CMNG=0,sec_tag,1,"text" client Cert

AT%CMNG=0,sec_tag,2,"text" private key

I am using AT command terminal on LTE Link monitor.
Using following C# code i am removing carriage return and new line for file

text.Replace("\n", " ").Replace("\r", " ");

Are you able to connect successfully if use the "at_client" to issue the certificates, and then flash your application?

I am going to try through AT client application as well.

Thanks

RE: Modem Certificate Management from zephyr Shell(CLI)

Håkon Alseth — Wed, 26 Oct 2022 08:27:54 GMT

Hi,

[quote user="Waqar Ahmed"]Even i tried from LTE link command terminal AT%CMNG=0,sec_tag,0,"certficate text" for CA cert,and then in sequence for other
I am getting the error at the time of connectivity aws connect error -95.[/quote]

Just to verify the behavior here. The certificates are written OK, ie. AT%CMNG=... for CA/client/private keys are written successfully, but you cannot connect successfully?

Are you able to connect successfully if use the "at_client" to issue the certificates, and then flash your application?

Kind regards,

Håkon

RE: Modem Certificate Management from zephyr Shell(CLI)

Waqar Ahmed — Tue, 25 Oct 2022 14:43:10 GMT

HI Hakon,

I tried every way but still no success,

Even i tried from LTE link command terminal AT%CMNG=0,sec_tag,0,"certficate text" for CA cert,and then in sequence for other
I am getting the error at the time of connectivity aws connect error -95.

RE: Modem Certificate Management from zephyr Shell(CLI)

Håkon Alseth — Tue, 25 Oct 2022 11:48:29 GMT

Hi,

Have you tried the sequence mentioned in the modem shell documentation?

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/modem_shell/README.html#getting-nrf9160-dk-out-of-the-box-and-to-nrf-cloud

You can see the raw format by checking the "terminal" window after writing the certs.

Kind regards,

Håkon