How to verify if certificate and private key are matched?

RE: How to verify if certificate and private key are matched?

SaranSiriwa — Fri, 24 Mar 2023 15:32:29 GMT

Hi,

Thanks for the update.

Best regards,

Saran

RE: How to verify if certificate and private key are matched?

Øyvind — Fri, 24 Mar 2023 11:18:15 GMT

Hello,

At the moment there are no AT commands that provide that functionality, but is a good feature request that I will forward to our modem team.

The best way at the moment to verify the key is to compare against the device ID (e.g. IMEI).

Kind regards,
Øyvind

RE: How to verify if certificate and private key are matched?

SaranSiriwa — Thu, 23 Mar 2023 17:00:45 GMT

Hi Øyvind,

Do you have any updates on this?

Best regards,

Saran

RE: How to verify if certificate and private key are matched?

SaranSiriwa — Tue, 21 Mar 2023 15:41:45 GMT

The system uses TRNG to generate public&private keys on the device itself and expose only the public key to the manufacturing PC, after the public key enrolls into the Could system successfully then write the public key back to the device.

In this procedure, I would like to know if there are any AT commands to check that the public&private keys are matched.

Or if you have another procedure, please let me know.

RE: How to verify if certificate and private key are matched?

Øyvind — Tue, 21 Mar 2023 07:29:36 GMT

Saran, do you read the IMEI of the devices during production? Have you looked into checking key towards a list of IMEI and credentials?

[quote user="SaranSiriwa"]The system will generate a pair key using TRNG and then expose only pub key to enroll with the cloud system then load it back into the modem.[/quote]

How does the system generate these keys? Are these generated on the device itself or on a computer?

RE: How to verify if certificate and private key are matched?

SaranSiriwa — Mon, 20 Mar 2023 18:38:04 GMT

Thank you for letting me know, I will waiting for your answer on Monday.

Best regards,

Saran

RE: How to verify if certificate and private key are matched?

Øyvind — Sat, 18 Mar 2023 07:12:28 GMT

Hello Saran, my apologies for the late reply. This week I have been at Embedded World and have had no time to follow up. Will get back to you on Monday.

Sorry for the inconvenience.

Kind regards,
Øyvind

RE: How to verify if certificate and private key are matched?

SaranSiriwa — Tue, 14 Mar 2023 03:10:24 GMT

Hi Øyvind,

Do you have any updates on this?

Best regards,

Saran

RE: How to verify if certificate and private key are matched?

SaranSiriwa — Fri, 10 Mar 2023 08:57:05 GMT

Hi Øyvind,

Currently, we use modem FW version 1.3.3.

What I mean is we already checked the HASH SHA-256 already which is valid (write/read are equal) but it is swapped with the device.

To give you some background,

The system will generate a pair key using TRNG and then expose only pub key to enroll with the cloud system then load it back into the modem.

In this case, we can accidentally load the certificate for device Number 123 onto device 456 then the certificate is a “valid” certificate but will not match the key on the 456 unit.

So I would want to know if there is a way or AT command available to guard against this case.

Best regards,

Saran

RE: How to verify if certificate and private key are matched?

Øyvind — Fri, 10 Mar 2023 08:45:35 GMT

Hello,

What modem FW are you running on your devices? The Credential storage management %CMNG is used for credential storage management. The command writes, reads, deletes, and checks the existence of keys and certificates. From modem FW v1.3.x≥2 it is possible to read the SHA-256 digest of the entity (DER, PEM) as stored in the modem filesystem.

Kind regards,
Øyvind