• State Resolved
  • Locked Locked
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 2943 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220: What is the process for creating the production certificate used for code signing?

Ryan Hunter65
Intellectual 470 points
Part Number: CC3220
Other Parts Discussed in Thread: UNIFLASH

I'm having issues finding exactly what I need to create the production code signing certificate.

I'e looked at the following:

It isn't clear to me what is necessary to create the certificate(s). The T.I. wiki shows how to create a self signed certificate but doesn't really explain how to use/which certificate is necessary from a CA.

  1. What type of certificate do I need to get from a Certificate Authority?
  2. How do I sign the certificate for use with the CC3220?
  3. Do I need to flash more than one certificate (i.e. trusted-cert and trusted-root-cert)?
    1. What's the benefit of having the certificate chain?

  4. Will the UniFlash tool throw an error when the code signing certificate has expired?

Thanks in advance.

  • 0
    TI__Guru 64555 points

    Hello,

    You should create a key first and then its matching certificate.

    The key is used for signing and the certificate is used as the public key stored on the device that matches the key and checks its validation.

    The CA authority gets your certificate and sign it for you. You do not share the private key.

    Most likely the authority would provide back a chain ending up with the root as their identity.

    You should store the entire chain on the filesystem so the device knows how to navigate and check the validity.

    Uniflash does not know to check a certificate. It is your responsibility.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 470 points
    Thanks Shlomi,

    As a follow up, when creating an OTA package do I need to add the entire key chain to that package?

    Thanks.
  • 0 in reply to Ryan Hunter65
    TI__Guru 64555 points

    Hello,

    Anything you want to update should go under the OTA package.

    If you want to update the certificates chain, you can also do it.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 470 points

    Shlomi,

    One last question, does the UniFlash tool care if the code signing certificate is expired? I'm trying to determine how often I will need to update the certificate.

    --Ryan

  • 0 in reply to Ryan Hunter65
    TI__Guru 64555 points

    Ryan,

    No, Uniflash does not have the ability to open the certificates and extract its configuration parameters.

    It is up to the user to validate it prior to programming.

    Regards,

    Shlomi

  • 0
    Genius 4565 points
    Ryan,

    Who are you using to sign your certificate? I'll need to be doing this soon and was looking for details on how the process works from someone who has done it.
  • 0 in reply to Andrew5821
    Intellectual 470 points
    Andrew,
    Unfortunately I have not done this yet so I do not know the process. I will attempt to provide an answer here when I do.
  • 0 in reply to Ryan Hunter65
    Genius 4565 points
    OK Thanks. It is very confusing because none of the CAs talk about signing embedded code.
  • 0 in reply to Shlomi Itzhak
    Intellectual 470 points

    Shlomi,

    I have been issued a code signing certificate by one of the specified CAs in the certificate playground. I'm now working on signing my firmware with this certificate. I'm having issues with Uniflash stating that the error FS_ERR_ROOT_CA_IS_UNKOWN.

    I am using UniFlash 4.2.1.1562 and the certificate catalog from the simplelink SDK 1.60.00.04.

    Did I need to specify to the CA to sign my certificate with a specific root certificate?

    --Ryan

  • 0 in reply to Ryan Hunter65
    TI__Guru 64555 points

    Hi,

    Just to understand that you applied the procedure well:

    1. you should create a private key, RSA only (not ECC) of lengths 1024 or 2048 (not 4096)
    2. generate a CSR with the private key that you created to one of the known CA vendors as in the catalog list (not the playground)
    3. when you get back the certificate chain, you need to add it to the file system using Uniflash and when adding your mcu image, pick it from the drop down list
    4. for the signature, you can choose "Private Key File Name", browse and pick the original key that matches the certificate
    5. that's it. Now the device can take the signature and the public key from the certificate, run RSA on the two artifacts and come out with SHA1 hash. It then compares that it matches the SHA1 of the file.

    This should work.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 470 points

    Shlomi,

    Should the certificate chain be 1 file containing my public key and the CAs public keys? Like a PKCS7 file?

    --Ryan

  • 0 in reply to Ryan Hunter65
    TI__Guru 64555 points

    Ryan,

    For the file system, you cannot use certificates chain. It is a limitation. You can use chain for SSL/TLS only.

    So you would need to unchain it into separate certificate files and program to the file system (in DER format).

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 470 points

    Shlomi,

    Does the name of the certificate chain files on the CC3220 file system have to match the name of the certificate? (i.e. I have a certificate that is signed by "CA SHA2 Assured ID Code Signing CA" does the file on the file system need to be named the same)

    The reason I ask is that the name of the certificate is longer than the allowable name within the file system.

    Also, I was under the impression that the certificate chain could be in PEM or DER format.

    --Ryan

  • 0 in reply to Ryan Hunter65
    TI__Guru 64555 points

    Ryan,

    When you flash the individual certificates, the file system nevigate in the chain according to the "issued by".

    So the top level filename is not important but the rest should be identical to their "issued by" name (and thus need to be programmed to the root only).

    So if you take as an example the trusted chain in the playground directory, you have:

    1. dummy-trusted-cert with "issued by" pointing to dummy-trusted-ca-cert
    2. dummy-trusted-ca-cert with "issued by" pointing to dummy-root-ca-cert
    3. dummy-root-ca-cert with "issued by" to dummy-root-ca-cert (self signed as it is a root CA)

    So you can store dummy-trusted-cert in any filename you want but dummy-trusted-ca-cert must be in this specific filename and under the root. Regarding dummy-root-ca-cert, i do not think it is required as this is the root CA file which is part of the catalog itself.

    How come you get a filename which is longer than 180 bytes? this is the "issued by" that you see?

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 470 points
    Thank you for your help Shlomi,

    So to elaborate on what worked for me:

    The certificate chain contained 3 files:
    1. MyCodeCert
    2. CA Code Cert
    3. CA Self Signed Code Cert

    When inspecting MyCodeCert the chain looked similar to this:
    "CA"
    |
    -> "CA SHA2 Assured Code Signing Cert CA"
    |
    -> "MyCodeCert"

    I programmed the device using these names and I would get the error that the File does not exist. I inspected the CA SHA2 Assured Code Signing Cert CA file and the chain looked like this:
    "CA"
    |
    -> "CA SHA2 Assured Code Signing Cert CA"

    Lastly I inspected the CA cert and the certificate chain looked like this:
    "CA Assured ID"

    I renamed the files on the CC3220 file system to match the names within each of the certificates so the 3 filenames I put on the device in the root directory are:
    1. "CA Assured ID"
    2. "CA SHA2 Assured Code Signing Cert CA"
    3. "MyCodeCert"

    I did have to store the root CA file to successfully load the device.

    Again, thanks for your help!

    --Ryan
  • 0 in reply to Ryan Hunter65
    TI__Guru 64555 points

    Great Ryan,

    I am happy that you got it to work.

    Shlomi