CC3120: How to use the self signed TLS/SSL certificates to CC3120

Navaneeth MP

Prodigy 30 points

Part Number: CC3120
Other Parts Discussed in Thread: UNIFLASH

Hi,

I created self signed TLS/SSL certificates by using below openssl commands.

openssl genrsa -out p_key.pem 2048 - Creating private key

openssl req -new -key p_key.pem -out signreq.csr - Creating certificate signing request.

openssl x509 -req -days 36500 -in signreq.csr -signkey p_key.pem -out certificate.pem - Creating ceritifcate from CSR.

openssl x509 -in certificate.pem -inform PEM –out certificate -outform DER - Changing the certificate extension from pem to der.

openssl rsa -in p_key.pem –inform PEM –out p_key –outform DER - Changing the private key extension from pem to der.

openssl dgst -binary -c -sha1 -sign p_key -out certificate_sign certificate - Creating signature file for programing to the device (Used in sl_FsClose ).

I followed the above procedure for writing certificates to CC3120, and used sl_FsWrite to write the certificate to CC3120 file system. Used sl_FsClose with the signature file which is generated from above commands. The piece of code which is used for programming the certificates in CC3120 is correct which I had verified by programming playground certificates.

Is it the correct method of generating the certificates?. If the method is correct what might be went wrong here?. I am new to SSL certification, can anyone please help me to be in a right path.?

Thanks & Regards

Navaneeth

over 2 years ago

0 Kobi Leibovitch over 2 years ago

TI__Guru 61446 points

Hi,

Self signed certificate are not supported (by default) for code signing as the device uses a certificate catalog to verify the authenticity of certificate.

You must use a certificate that was signed by a known root CA (that is included in the certificate catalog stored on the device).

By default, TI provide 2 options of catalogs: (1) Dummy "Playground" catalog that contains the dummy-root-ca-cert signature which you can use for development (dummy certificates and private keys can be found in the SDK in "tools\cc32xx_tools\certificate-playground").

(2) Production catalog that contains about 100 of the most popular root CA certificates available (full list can be found in the SDK in tools\cc32xx_tools\certificate-catalog\readme.html)

For more details refer to CC32xx certificate handling guide (https://www.ti.com/lit/pdf/swpu332).

To use your own certificate you can create your own catalog and install to the flash OTP section as described in https://www.ti.com/lit/pdf/swru547

br,

Kobi

0 Navaneeth MP over 2 years ago in reply to Kobi Leibovitch

Prodigy 30 points

Hi Kobi,

Thanks for the reply.

I had gone through the document which describes on how to create your own catalog and install to the flash OTP. It mentions to use Uniflash tool to program the catalog inside the OTP area of CC3120. Is there any way to do it by using sl_FsWrite api?.

Thanks & Regards

Navaneeth

0 Kobi Leibovitch over 2 years ago in reply to Navaneeth MP

TI__Guru 61446 points

no. it is only supported during programming (requires some (UART) bootloader commands to enable this).

0 Navaneeth MP over 2 years ago in reply to Kobi Leibovitch

Prodigy 30 points

Hi Kobi,

We are interfacing CC3120 with SPI, can we program the certificate catalog file by enable with bootloader commands through SPI?.

Also can we have a meeting with you ?.

Thanks & Regards

Navaneeth

0 Kobi Leibovitch over 2 years ago in reply to Navaneeth MP

TI__Guru 61446 points

No. it currently requires using Uniflash over UART to enable the Vendor Catalog.

If you need a direct support, please contact the TI local FAE/Sales.

0 Navaneeth MP over 2 years ago in reply to Kobi Leibovitch

Prodigy 30 points

Hi Kobi,

Is there any free/opensource certification authority available on the default catalogue?

Thanks & Regards

Navaneeth

0 Kobi Leibovitch over 2 years ago in reply to Navaneeth MP

TI__Guru 61446 points

No.

0 Navaneeth MP over 2 years ago in reply to Kobi Leibovitch

Prodigy 30 points

Hi Kobi,

Can we change the certificate issued to/by field and validity of playground certificates?.

Thanks & Regards

Navaneeth

0 Kobi Leibovitch over 2 years ago in reply to Navaneeth MP

TI__Guru 61446 points

The playground certificates are completely public, Since you have the private key, you can recreate the certificate with different (CSR) content (using openSSL for example).

However, if you use the original keys - it won't be confidential and shouldn't be used in production.

0 Navaneeth MP over 2 years ago in reply to Kobi Leibovitch

Prodigy 30 points

Hi Kobi,

If we recreate the certificate, will it directly work without updating the default catalogue. If it works with default catalogue please provide me the steps on how to recreate it.

Thanks & Regards

Navaneeth

0 Kobi Leibovitch over 2 years ago in reply to Navaneeth MP

TI__Guru 61446 points

The default Certificate-Catalog contains digests of about 100 popular root CA certificates.

It should be used in production and it will not enable the playground certificate.

The Playground-Catalog is only provided to ease the development, It only contain the signature of the "dummy-root-ca-cert"

if you create you own certificate based on the the playground root "dummy-root-ca-cert" and "dummy-root-ca-cert-key" it will work with the playground certificate.

You can find instructions how to create certificate (based on an available private key) in the web, e.g. one that i've found:

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs (see for example the

Generate a Self-Signed Certificate from an Existing Private Key)

Again this shouldn't be used for production.

0 Navaneeth MP over 2 years ago in reply to Kobi Leibovitch

Prodigy 30 points

Can we recreate the "dummy-root-ca-cert" with different CSR content and with same signature so that it will support with the existing Playground-Catalog?.

0 Kobi Leibovitch over 2 years ago in reply to Navaneeth MP

TI__Guru 61446 points

yes. check the instructions in the link above.

Wi-Fi

Wi-Fi forum

CC3120: How to use the self signed TLS/SSL certificates to CC3120

Generate a Self-Signed Certificate from an Existing Private Key)