• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 305 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF-LAUNCHXL: Possible to use own root CA?

Damiano Rullo
Prodigy 230 points
Part Number: CC3220SF-LAUNCHXL
Other Parts Discussed in Thread: CC3220SF

Hello,

We have a scenario where a group of satellite boards based on cc3220sf connect  to a mqtt server over the internet to send sensor data.

The certificate of the MQTT server is signed by a custom root CA that we have created and use internally.

Since the whole scenario is internal to our company, is  it possible to add our root CA to the Trusted root certificate catalog, resign this file with ti key and flash it on the cc3220sf?

Is it possible to use internal root CA to sign also the code signing certificate, so that we are independent from a thirdy party ca?

Regards

Damiano

  • +1
    TI__Guru 63006 points

    We can't add self-signed certificates to our catalog, but there is to add a vendor specific catalog (see https://www.ti.com/lit/pdf/swru547).

    It uses the flash OTP sector (for storing vendor specific root CA that will verify the catalog upon update).

    Another option that you have in TLS, is to use the original TI catalog and ignore the catalog check (when you expect it to fail). You'll get error SL_ERROR_BSD_ ESECUNKNOWNROOTCA but the connection gets created. The application can decide to use this to close the connection or to ignore and continue (you can also set the socket's SL_SO_SECURE_DISABLE_CERTIFICATE_STORE option - to avoid this warning message).

    When using our MQTT library -  you can use the MQTTCLIENT_NETCONN_SKIP_CERTIFICATE_CATALOG_VERIFICATION connection flag..