• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 443 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3235SF: Code signing certificate

Paul Everlund
Prodigy 30 points

Part Number: CC3235SF

Hi!

Reading the documentation it says one need a code signing certificate and my understanding so far is:

  1. Create a private/public key.
  2. Put the public key in the OTP "root-of-trust public key" area and carry out the OTP programming.
  3. Use the private key to sign software to be installed.

If above is correct, is there a need for a real certificate, for the software signing, provided by a valid certificates company?

If yes, should the root-CA from the certificates company be put in the certificates catalogue?

Or is it enough with the 3 steps initially described?

Reading the documentation it seems like certificates and keys are sometimes mixed up, so hence my question. Especially as I'm (yet) no expert in this area.

Thank you in advance for your answer. Slight smile

  • 0
    TI__Genius 13052 points

    Hey Paul,

    I'll address your question early next week.

    Best,
    Jacob

  • 0 in reply to Jacob B.
    TI__Genius 13052 points

    Hi Paul,

    You are mostly correct. However on Step 3:

    Paul Everlund said:
    Use the private key to sign software to be installed.

    You should create two key pairs. You use the private key in one key pair to sign the certificate catalog and the other to sign the code.

    Yes, there is a need for the real certificate from a valid certificate company to serve as the root of trust for the certificate chain. TI offers several root CA digests in the certificate catalog (the full list of root certificates supported by the catalog can be found within the SDK in /tools/cc32xx_tools/certificate-catalog/readme.html.).

    Yes, the root CA's digest should be in the certificates catalog. Section 1.2 of the SimpleLink Wi-Fi Certificates Handling Guide may be helpful:

     

    Edit: Updated post to reflect need for two key pairs

    Thanks,
    Jacob

  • 0 in reply to Jacob B.
    Prodigy 30 points

    Thank you very much for your reply, Jacob, and I hope you have had a nice weekend!

    To simplify the text I'll call the private/public key for signing the certificates catalogue (private key) and to be put in the OTP (public key) for PP.

    So, if I understand it correct:

    The PP has nothing to do with the software signing certificate at all?

    Or can the PP also be used for the software signing, i.e. you use the PP private key for signing the CSR and later on the software images? If yes, might it be a bad idea?

    And, to summarize it::

    1. One create a private/public key pair (PP), puts the public key in the OTP and use the private key to sign the certificates catalogue.
    2. Either one use the private key from PP to sign the software signing CSR (1), or create a new key pair for the software signing CSR (2).
    3. One put the certificate received from the CSR (used for software signing) in the certificates catalogue.

    Best regards,
    Paul

  • +1 in reply to Paul Everlund
    TI__Genius 13052 points

    Hi Paul,

    Paul Everlund said:

    The PP has nothing to do with the software signing certificate at all?

    Or can the PP also be used for the software signing, i.e. you use the PP private key for signing the CSR and later on the software images? If yes, might it be a bad idea?

    You are correct; ideally you have two separate key pairs. One key pair signs the vendor catalog and the other signs the code. 

    Paul Everlund said:

    And, to summarize it::

    1. One create a private/public key pair (PP), puts the public key in the OTP and use the private key to sign the certificates catalogue.
    2. Either one use the private key from PP to sign the software signing CSR (1), or create a new key pair for the software signing CSR (2).
    3. One put the certificate received from the CSR (used for software signing) in the certificates catalogue.

    These are all correct but for #2: you should generate a private/public key pair (PP) for the certificate catalog you are creating and you should also generate another pair for the software signing. Ideally, these key pairs are different.

    Most of this information can be visualized in the Vendor Device Authentication With SimpleLink Wi-Fi® Devices.

    Best,
    Jacob

  • 0 in reply to Jacob B.
    Prodigy 30 points

    Thank you very much, Jacob! Slight smile I've read the document, "Vendor Device Authentication With SimpleLink Wi-Fi® Devices", but it was a bit unclear, but now I have the information I need, so once again, thank you!

    Best regards,
    Paul