• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 164 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3235MODSF: Switching to Trusted Root Certificate results in FS_ERR_ROOT_CA_IS_UNKOWN

Wayne Johnson
Prodigy 125 points
Part Number: CC3235MODSF

I switched from the dummy-root-ca-cert to the "Use default Trusted Root-Certificate Catalog" certificates, but when I load the image I get:

I assume that I need to add the certs manually to the user files.  Which files?  simplelink_cc32xx_sdk_6_10_00_05\tools\cc32xx_tools\certificate-catalog\certcatalog20200715.lst?  Or do I need the bin file as well? 

All I see about this is:
6.10 Adding the Trusted Root-Certificate Catalog
The trusted root-certificate is a file provided by TI. The store contains a list of known and trusted root CAs and a
list of revoked certificates. The list of the CAs supported by TI can be found in the CC3x20, CC3x3x
SimpleLinkTm Wi-Fi® Internet-on-a chipTm solution built-in security features Application Report.
The ImageCreator installation has a default trusted root-certificate catalog used by the ImageCreator. The
default trusted root-certificate can be overridden by selecting a different file and its signature file. The
ImageCreator has no link to the selected trusted root-certificate original file. To change the trusted root-certificate
content, select a new file.

  • 0
    Prodigy 125 points

    Tried the certcatalog files:

    No Joy

  • 0 in reply to Wayne Johnson
    TI__Guru 63006 points

    The catalog needs to be installed through the ImageCreator files->Trusted Root-Certificate Catalog tab (not manually). It will not appear in the files list.

    Once installed you will not be able to use the playground "dummy" keys and certificates to sign and verify secure files. Instead you will need to install a valid certificate (purchased from a known CA and signed with a root CA that appears in the catalog) and use the corresponding private key to sign secure files.

    see more details in https://www.ti.com/lit/swru469 or in the https://www.ti.com/lit/swpu332.

  • 0 in reply to Kobi Leibovitch
    Prodigy 125 points

    I think you misunderstand.  I did set the button for "Use default Trusted Root-Certificate Catalog".  Including the catalog in the UserFiles was just an attempt to mitigate the error.  Setting the Use Trusted Root button is when I started to get the FS_ERR_ROOT_CA_IS_UNKOWN error. 

    We do not intend to sign our code (at this time), nor have a client security cert.  Our intent is simply to connect to a MQTT server, that does have a server cert signed by a CA in the catalog.  I was under the impression that including the catalog would allow us to authenticate the server cert that the MQTT server sends.

    The alternative is to include all the CA certs into the userFIles

  • +1 in reply to Wayne Johnson
    TI__Guru 63006 points

    As said before, if you use the "Trusted Root-Certificate Catalog" - you can't install the MCU Image and/or any other secure user files without a signature by a valid certificate (signed by a root CA included in the catalog). There is no way around this other than using the Vendor Catalog (as described in https://www.ti.com/lit/pdf/swru547).

    If you just want to connect to MQTT Broker without purchasing a certificate, you can still use the Playground catalog. A TLS connection that will fail the catalog verification will still be considered successful, you will just get a warning return code (-468, SL_ERROR_BSD_ESECUNKNOWNROOTCA)  that you can choose to ignore during development (in the final product you may choose to terminate the connection when receiving the warning). Another option is to disable the Catalog Verification, that you can set per socket (using sl_SetSockOpt).