Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

Hakon — Mon, 06 Feb 2023 12:52:35 GMT

[quote user="JVantol"]Is there an example of how to generate a CSR from a public key out there somewhere?[/quote]

Here is one way to do it. It's for generating a CSR on a computer, not on the device though. You also need a private key for that. https://en.wikipedia.org/wiki/Certificate_signing_request

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

JVantol — Thu, 02 Feb 2023 16:34:40 GMT

Good idea. A CSR is more than just a public key though, right? Is there an example of how to generate a CSR from a public key out there somewhere? My knowledge of crypto is limited enough that I don't want to do that from scratch if I can help it.

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

Hakon — Thu, 02 Feb 2023 16:25:10 GMT

Perhaps useful comment;

They could look at the crypto/rsa sample. It will generate a RSA keypair (and then use it to sign and verify something).

If they change the key generation to also set the PSA_KEY_USAGE_EXPORT flag, they should be able to use psa_key_export() to read the private key.

https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#c.psa_export_key

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/crypto/rsa/README.html

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

JVantol — Fri, 27 Jan 2023 16:55:54 GMT

1.2.1 Which is the newest version we can use with B0A devices on ATT.

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

Hakon — Fri, 27 Jan 2023 11:43:09 GMT

What mfw are you using in the B0A devices?

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

JVantol — Fri, 20 Jan 2023 15:05:02 GMT

Yeah, I know all that, we use that capability to install the initial private key. What I'm needing is capability to generate a new private key, public key and CSR on the device to be able to replace the key and cert at 3 year intervals as required by the strict security posture of the Azure private IOT hub these devices are connected to.

So, step by step, I need:

1.) To generate a new 2048 bit RSA private/public key pair on the device.

2.) To generate a CSR from this.

Then some stuff that we've already implemented happens to call a re-provisioning API on the client's private IOT hub, with the CSR as a parameter. The hub generates a new cert, which we download.

3.) We take the new cert and private key and plug it in using the CMNG commands.

4.) Device reboots and re-connects to the cloud using the new private key and cert.

We have implemented all this using AT%KEYGEN for devices that have modem firmware 1.3.x, but we have a large population of older devices which have Gen1 modems, which are not allowed to be upgraded to 1.3.1 modem firmware, hence the need to generate key pairs in the app processor.

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

Hakon — Fri, 20 Jan 2023 14:57:14 GMT

Modem team;

Once the new certificate is in the application domain it can be written to modem file system. AT%CMNG allows clients to list, read, write and delete certificates in modem file system with some limitations.

Some information about credential management in following links:
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/modem/modem_key_mgmt.html#modem-key-mgmt
https://infocenter.nordicsemi.com/index.jsp?topic=%2Fref_at_commands%2FREF%2Fat_commands%2Fsecurity%2Fcmng.html

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

JVantol — Wed, 18 Jan 2023 15:32:55 GMT

It looks like there is a crypto example for generating an RSA private/public key pair:

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/nrf/samples/crypto/rsa/README.html

I think that you could use this to generate the private key, and they generate a CSR from the public key, but I'm not enough of an expert to know exactly how this might be done. Is this correct that you could use the PSA crypto library to make the required key pair? If so, can you suggest a library that can generate a CSR from the public key?

RE: Solution for generating new private keys when modem firmware 1.3.1 cannot be used.

Hakon — Wed, 18 Jan 2023 14:22:49 GMT

Hello,

I will check this with the modem team.