This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

RTOS/SIMPLELINK-WIFI-CC3120-SDK-PLUGIN: Does CC3120 support adding multiple CA certificates to be used by the client for server certificate verification

Part Number: SIMPLELINK-WIFI-CC3120-SDK-PLUGIN
Other Parts Discussed in Thread: UNIFLASH, CC3120, CC3100

Tool/software: TI-RTOS

Hello,

We are using CC3120 Simplink which is interfaced with TI TM4C1294XL. We are trying to connnect with Enterprise network that has a chain of CA certificates. The Server sends only the certificate to CC3120 client for verification. We have stored the CA certificate in th flash memory location path mentioned in the uniflash. We need to store the multiple CA certificates ROOT CA and Intermediate CA to verify the certificate received from the server.

Is there any possible way to store multiple CA certificates or chain of certifictes into the CC3120 flash?

I will appreciate your early response.

Thanks.

  • Hi Saleem,

    The device supports a certificate chain stored in PEM format for verifying the server.

    Best Regards,
    Ben M
  • Hi Moore,

    Thank you for the reply.

    Can you please share the format of making the certificate chain(for root CA and intermediate CA) ?

    I have attached the file that i made

    0871.MergeCert.log
    -----BEGIN CERTIFICATE-----
    ADAWMRQwEgYDVQQDEwtJU0MtUm9vdC1DQTAeFw0xNjA3MTQxOTI4NDhaFw0yNjA3
    MTQxOTM4NDhaME8xEzARBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZ
    FgZwaXRuZXQxIDAeBgNVBAMTF0lTQyBBbWVyaWNhcyBJc3N1aW5nIENBMIIBIjAN
    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1NcdXhZ6X9N+ouv4PF1bRLz3D8H1
    tXP95yKARK47Gq5zOFt7dwhGKD4qlrfHGvxVq9ku20XMd/5OufUMyiLfght2yO18
    XZxIra55rxfwW+Jjh/SJbzt4jPTKtyxsRtS9RU/Auu6tzLJye/RqkUwaxAMmqGeQ
    2ie5/LEqDi9tquMYovt0Uh3Br44FxUzt5BqoDowwImDiookf/uKNMCppH0XokzGq
    LjgM2do9mtyydOYOm/xN4miDa2suGQhynTptXilEljyb3FjxpIw8qIPakv97RvrS
    jzz/k5xUKC1rMEUGA1UdIAQ+MDwwOgYIKgMEiy9DWQUwLjAsBggrBgEFBQcCARYg
    aHR0cDovL3BraS5mYWJyaWthbS5jb20vY3BzLnR4dAAwGQYJKwYBBAGCNxQCBAwe
    CgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j
    BBgwFoAUkDL6FreDWjMRzgRVRspoXg+FwFwwgf4GA1UdHwSB9jCB8zCB8KCB7aCB
    6oaBtWxkYXA6Ly8vQ049SVNDLVJvb3QtQ0EsQ049c3Zycm9vdGNhMDEsQ049Q0RQ
    LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
    Z3VyYXRpb24sREM9UGl0bmV0LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
    aXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGMGh0dHA6
    Ly9wa2kucGl0bmV0LmNvbS9DZXJ0RW5yb2xsL0lTQy1Sb290LUNBLmNybDBXBggr
    BgEFBQcBAQRLMEkwRwYIKwYBBQUHMAKGO2ZpbGU6Ly8vL3N2cnJvb3RjYTAxL0Nl
    cnRFbnJvbGwvc3Zycm9vdGNhMDFfSVNDLVJvb3QtQ0EuY3J0MA0GCSqGSIb3DQEB
    CwUAA4ICAQBYEslhByG9noxXdyG3wJKItEVjaWJBxHrPDHM14nNtefX/0w1NdlVL
    k8IcNEl1FnR7VuwzPEaDXkuTwyL8g7dE3Lhy7BR7feaDGeEMqR2G0DgrG7NpDvSK
    y7TZWsFdEsBcYHTgJX1+m6BzEZHBTwhECzDahdXJyoFglIBGP0ljEtYN3t9I6y6S
    ia8SjzDhlk8QaFyQPlFHKK3VaQ5A3IG3bYr4wd4GVVLczAUFqQ4Th19u5Xw/AKnp
    ZmXzQ9SpliO2PDcIwi8m4wulR0Ef/mjc3PRCTHBwhy/onmBgPre02Md+qj1Wpa9d
    n1bHetmgglKa4kJ6a70mNEyij3eXF86VUVFOSRyWg7+ir7F9pMGqdosDZqIwucZO
    05xLP9mmlGo4z8wsgyQu8D0zvc+TA+yaZUPZUI3ezonwKxwFUqp6bXfTdohpLFMX
    vEIiZW5lm1zDV1KMZ69JbkUPQBCglwdMoOFU4NU0bA7VNOgCGZrISQ==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFBzCCAu+gAwIBAgIQerWEKNqsErtDmshVO0Y9wjANBgkqhkiG9w0BAQsFADAW
    MRQwEgYDVQQDEwtJU0MtUm9vdC1DQTAeFw0xNjA3MTMxMzIxMDBaFw0zNjA3MTMx
    MzMwNTdaMBYxFDASBgNVBAMTC0lTQy1Sb290LUNBMIICIjANBgkqhkiG9w0BAQEF
    SWkMJpwxPpBgccYX/qNUQ71sekDtSieuw6Z4VjafVXzK8cdCQO7hfMyCs7ICtnzd
    hAiTo/CjHp/MwrSO4ajiBO50cR6U3erYVdk+22SUhiRYLFb2woXwd4nLO+m0WCxW
    rSthydSpizl/a1lk7jSAVlgsAs7/0nSi7BvqBw+z7wqii6Nv97E8cGBmPv4EaYMR
    X/M8Z5MUlXwGH31P0tWcyNgYVY2okabFtmd+pOnktgl3hXTMexk6VahGBS4xM7vF
    lkzR4tC0PDs03KVctFXJRbccKeIbOHiiQt4YIpgF7qlZZDeruNwsOTiPW5tX2+l6
    vl9aczM5RCR2mi9m9y60r5/XrakMVGifpQdPP4alOhwpA09csg6xLQYteBwU876y
    0EHXwP0D26dtHjdd685n4tzC8IKUjwbUe1Ji2T8sWolbDTPlMdY/kGCh83hqysHP
    VX2cl0khN7yH8at5J3pPL/ePDT3jyNVYRwz5XPUYkaNf3JbkJQvroJMBoj2ll5kq
    Xo6+HD0ZtbyZLPNlidtZ6ILK5R9/snykg5fgJOKo3Nz8xJGGGeDi/PfaxroQvb0C
    AwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
    FJAy+ha3g1ozEc4EVUbKaF4PhcBcMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3
    DQEBCwUAA4ICAQCUCZzkkFWIpK+DSuTR+F9KVIb7wNroetOFM9cuAol1yEtsCSlr
    tUWBJlLXQq1YdKYc/zUiv1OB9rzTd5Ps5l26roVOrwrRJ+Befq+wtta6IpaMfMyp
    HRkXQ0Snh9rb+deQiHCAu3+l3XyjIYDcmFuowXde9Szo0cCey65GYnoUQjyKbRHw
    Zrq7pDjCs+nWjIMpFBdVKopzI7xCxM3xmaucedXwOWA+Um1lf0Kr5AJK6LGCby6v
    +7HzN/zJp3aRQTzvotesv3RINAK83xqtmh35PFYnnB1Ww4YaSTezelBWokOKjrXK
    SZ14paI/u8mBq9fKvetBktblgkfx2+mP/WHwBBdIu/Wjln67Xi0rF5yoJMbEyRut
    TUHkJ/zOYeVJDaRftdCoR4h8q4ilnr+DHyQiHr594Sez3rNx696QUh3zNiBhRXEK
    CcFbNIc4aQJkqRgM3craUKAUrh44bObnzGa2gLuVyrisVFgwHQIp1W2Sha/uie03
    CWgQ3afGR40QxUnCdkPQIxJy+24YKpsovwrPcx9dzrRzN+BMmu6nxoYtNx9Gf96+
    jBtdy5K4Ks478r+Pkro1F0Qht3Iu7l2SM1H+FDZZEs7KHnOHFlFpDftUwQ==
    -----END CERTIFICATE-----
    
    for chain certificate. Can you suggest the possible issue with it?

  • Hi Moore,

    Just to be clear we are on the same page.

    We need confirmation from TI about the options to write both Root CA and Intermediate CA certificate files to connect with PEAP-MSCHAPv2 enterprise network.

    In our corporate network there are chain of certificates. Our Radius server sends only one server certificate, while CC3100/3120 Simplink module has the root CA certificate. We need a way to store both Root CA and Intermediate CA certificates in CC3100/3120 flash, so that we can verify the complete chain of certificates. Please suggest if there is any possibility of storing two CA certificates i.e Root CA and intermediate CA.

    Please answer the following questions.

    Is CC3100 /cert/ca.pem can have chain for intermediate and root certificate?
    Is CC3120 /sys/cert/ca.pem can have chain for intermediate and root certificate?

    Is there any other possibility to store multiple CA certificates?

    Thanks.
    Saleem

  • Hi Saleem,

    I understand the request. Let me correct my original statement -> this is not supported in our devices (CC3100 or CC3120). Having the server configured to only send it's server certificate is outside of the TLS specification, which requires the entire chain to be sent by the server. As it is outside of the spec, we do not support it.

    Best Regards,
    Ben M
  • Hi Moore,

    Thank you for your reply.

    Our Root CA has a public key with RSA 4096 bits. Does the CC3120 root CA has a support for RSA 4096 bits public key for enterprise network?

    Thanks.
    Saleem
  • Hi Moore,

    As per the following post RSA 4096 bit key is not supported for enterprise network. Is that post not correct?

    e2e.ti.com/.../586381

    Thanks.
    Saleem
  • Hi Saleem,

    Sorry, that thread is the correct one. I will remove my previous post to avoid further confusion. The support for 4096 bit keys is limited to TLS/SSL and not including enterprise security. Enterprise is limited to using the hardware accelerators and therefore 2048 bit keys.

    Best Regards,
    Ben M