• State TI Thinks Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 2392 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220: How to make my own certificate is known by cc3220 when creating and programming image?

yaowei guo
Prodigy 140 points

Part Number: CC3220

Hi,

When developing, we use the certificates files in SDKSInstallDir\tools\cc32xx_tools\certificate-playground, and the root ca is known in the certcatalogplayground-***.lst file.

So, creating and programming image is OK.

Now, we try to replace the certificates to self-signed certificate. But when programming image, uniflash informs the root ca is unknown.

What should I do to update or generate a certcatalog**.lst to make the self-signed certificates is known for CC3220?

  • 0
    TI__Mastermind 30790 points

    Hi yaowei guo!

    The CC3220 does not support using a self-signed certificate for signing the MCU image. As you have noted, the root certificate authority (root CA) of the chain that is used to sign the MCU image must be known to the device, and therefore present in the Trusted Root-Certificate Catalog. The catalog can only be created by TI because it is signed with the TI private key and verified using the TI certificate in the device ROM.

    Refer to section 3.2.5.1 of the CC3120, CC3220 Security App Note or 7.4 of the Network Processor Programmer's Guide.

    TI may update the catalog over time with known trusted root CAs, but you can not create a new catalog with your own self-signed certificate. When using the device in production, you will have to acquire a certificate for signing your application image whose root CA is listed in the catalog.

    A full list of the root CAs included in the production catalog can be found in the readme.html file located in the SDK under tools/cc32xx_tools/certificate-catalog/readme.html.

    NOTE: The Trusted Root-Certificate Catalog can only be disabled at the secure socket level as per section 7.5.4 of the Network Processor Programmer's Guide.


    Best Regards,

    Ben M

  • 0 in reply to Benjamin Moore
    Prodigy 140 points

    Hi, Ben M

    Thanks for your answer!

    The Trusted Root-Certificate Catalog is released with the SDK. And I think the catalog file seems to be the root CA files list for the known root CAs. But where is the root CA files known by the catalog stored?? Are the root CA files updated with the service pack?? Or the root CA files is burned during MCU chip is producing, then they are never updated. 

    Do the trusted root CAs have the valid peroid? If the current version of root CA is out of date, the old version image generated with the root CA and a certificate signed by it, can not be downloaded, so the firmware for product can not be updated.

    And anther question is how to update certificate files to the product  after the certificate is out of date?

    BR,

    Guo YaoWei

  • 0 in reply to yaowei guo
    TI__Mastermind 30790 points

    Hi Guo YaoWei,

    The catalog file stores the fingerprint and name of the Root CA, not the entire certificate. The root CA that is used must be loaded onto the device when programming for production. This may or may not be updated during an OTA update.

    Though there is a period for which the Root CA cert is valid, the device does not check this during the boot process. This was a design decision because not all applications set the RTC (which would be necessary for verifying the date) and because checking could cause a factory reset to fail if it is performed after the file expires. 

    A certificate used for SSL/TLS should be renewed and updated prior to it expiring.

    Best Regards,

    Ben M