This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CA file - How do i install one.

Other Parts Discussed in Thread: CC3200, UNIFLASH

How do I install a CA file on a CC3200?     Im wanting to open a secure socket to something that has a self signed cert, and i need to install their CA file so it works. 

I saw that the secure socket seems to be blocking, so if it doe'snt connect everything stops.


  • Hi Andrew,

    You need to use Uniflash to install/flash CA file to device. You can go through the SSL example available in CC3200 SDK which demonstrates similar feature you are trying.

    Regards,

    Jitendra

  • I've been looking at the SSL example, but for the life of me i can't find where the certificates are defined. what file is this struct in?  

    I can get the cert flashed easy enough

    typedef struct
    {
      unsigned char PrivateKey;
      unsigned char Certificate;
      unsigned char CA;
      unsigned char DH;
    }SlSockSecureFiles_t;
    
    SlSockSecureFiles_t SecureFiles;
    sockSecureFiles.secureFiles[0] = 0;  // mapping private key, 0 file not exist
    sockSecureFiles.secureFiles[1] = 0;  // mapping certificate, 0 file not exist
    sockSecureFiles.secureFiles[2] = SL_SSL_CA_CERT/*129*/; // mapping CA, 0 file not exist
    sockSecureFiles.secureFiles[3] = 0;  // mapping certificate, 0 file not exist
    
    Status = sl_SetSockOpt(SockID, SL_SOL_SOCKET, SL_SO_SEC_FILES, & SecureFiles, sizeof(SlSockSecureFiles));
  • Hi,

       I think this is the one below.

       #define SL_SSL_CA_CERT_FILE_NAME        "/cert/testcacert.der"

    - kel

  • Andrew -

    In the CC3200 SDK (1.0.0) SSL example, the CA cert file is defined in main.c by the following #define:

    #define SL_SSL_CA_CERT_FILE_NAME  ...

    Use UniFlash to flash your CA cert - for example, "/cert/EquifaxRootCA.cer", and change your #define to correspond.  If you have multiple certs, you can flash them/refer to them from your code in the same manner.

    Different cert types (e.g. private key) require a call to Sl_SetSockOpt with the appropriate cert type:

    #define SL_SO_SECURE_FILES_PRIVATE_KEY_FILE_NAME (30) /* This option used to configue secure file */
    #define SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME (31) /* This option used to configue secure file */
    #define SL_SO_SECURE_FILES_CA_FILE_NAME (32) /* This option used to configue secure file */
    #define SL_SO_SECURE_FILES_DH_KEY_FILE_NAME (33) /* This option used to configue secure file */

    It appears that under the covers, the socket code has been "changing" (and will change some more - trace the sl_Bind call/return value in the get_time example!). The documentation needs to be updated to reflect the actual example code, in this case. 

  • Hi,

       There is a guide about SSL at document link below at Section 9.2.2.3.

       http://www.ti.com/lit/ug/swru368/swru368.pdf

    - kel

  • Markel has pointed to an example of how to use Sl_SetSockOpt() from the "Getting Started" guide to specify a CA cert file. This documentation reflects the code in main.c of the SSL example program.  

    Andrew had pasted a code fragment from the sample documentation file that is installed with the SDK in the examples subfolder, "CC32xx SSL Demo Application.pdf".  This documentation doesn't agree with the SSL example code. 

    Hopefully, TI will take note and update "CC32xx SSL Demo Application.pdf" in the near future.

  • So just to add some additional info and hopefully not add any confusion:

    I'm also striving to achieve SSL cleint and server secure connections

    From code, it appears that there are 2 methods to set the certificate options using sl_SetSockOpt:  

    1) Use sl_SetSockOpt(iSockID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME...

    with these options: 

    ...CA_FILE_NAME, ...CERTIFICATE_FILE_NAME,...PRIVATE_KEY_FILE_NAME

    2)  And/ (Or?)

    sockSecureFiles.secureFiles[0] = SL_SSL_PRVT_KEY_CERT;
    sockSecureFiles.secureFiles[1] = SL_SSL_CLIENT_CERT;
    sockSecureFiles.secureFiles[2] = SL_SSL_CA_CERT;
    sockSecureFiles.secureFiles[3] = 0;

    lRetVal = sl_SetSockOpt(iSockID, SL_SOL_SOCKET, SL_SO_SECURE_FILES, sockSecureFiles.secureFiles, sizeof(sockSecureFiles));

    My question is:

    Do BOTH of these need to be executed?  

    DB

  • Its hugely confusing to me, it would be good if someone could tell us!

  • It would be difficult to use the approach documented in "CC32xx SSL Demo Application.pdf" (the code fragment posted by Andrew), since there is no #define for SL_SO_SEC_FILES in the current header files.   

    The approach documented in the "Getting Started" guide as noted by Markel is what is implemented in ssl/main.c, and this will work for you.  For examples, search for the tag "SSL" or "CERT" on this forum.  

    For example: http://e2e.ti.com/support/wireless_connectivity/f/968/p/363643/1279216.aspx#1279216

    Let's assume you have flashed the Equifex certificate under the name "Equifax.der".

    In this case you need to use:

    sl_SetSockOpt(SockID, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CA_FILE_NAME, "Equifax.der", strlen("Equifax.der"));



  • Whoops - my bad ... there IS a #define for SL_SO_SECURE_FILES (as opposed to SL_SO_SEC_FILES, which is what Andrew pasted). One of the two alternative #defines/approaches for use with certs.

    See: http://e2e.ti.com/support/wireless_connectivity/f/968/p/363183/1275885.aspx#1275885

    TI says they are working on the documentation regarding this. See http://e2e.ti.com/support/wireless_connectivity/f/968/p/363643/1279216.aspx#1279216

  • See, if reviewing the ent_wlan example program might help you.

    - kel

  • MQTT example with CC3200.

    https://github.com/stellascapes/mqtt-examples

    Hi, see above location to see where we've got to.     It runs just fine with the unsecured sessions, but we're stuck trying to get it running secured. 

    The debug suggested "“error secure level bad CA file”

    Anybody hazard a guess,

  • Hi All,

    We are working to improve our documentation on this subject.
    As of now I suggest, to use the ssl example code in our SDK as a good reference and the relevant doc ("CC32xx SSL Demo Application.pdf") describing it (including explanation on how to download a certificate from an internet browser.

    Thanks,
    Alon

  • Hi,

    I am closing the thread, if issue still exist please open a new thread and add a link to this one for reference

    Thanks,
    Alon