• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 3 answers
  • Subscribers 41 subscribers
  • Views 1554 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF-LAUNCHXL: CC3220SF: Production Certificate

dhevan G
Expert 1675 points
Part Number: CC3220SF-LAUNCHXL
Other Parts Discussed in Thread: UNIFLASH, CC3220SF

Hi

     I having some doubt i read some thread related to production certificate and SimpleLink™ WiFi Certificates Handling. 

    Self signed certificate not possible to use production mode root certificate catalog holds the entire trusted root certificate known to the SimpleLink™ CC31xx/CC32xx device( simplelink_cc32xx_sdk_2_20_00_10/tools/cc32xx_tools/certificate-catalog/readme.html).  

   1) How can i buy trusted root certificate what are the certificate they will give( i am new for buying certificate) ?

   2) Suppose i buy certificate for one year after one year again need to dump the new certificate ?

   3) Once i buy certificate can i use that certificate for HTTPS, Secure TCP, Secure MQTT ?

   4) this link processors.wiki.ti.com/.../CC3120_&_CC3220_Generate_Certificate 

          (openssl x509 -req -days 730 -in cert.pem -CA ca.pem -CAkey CAPrivate.pem -set_serial 01 -out cert.pem)

        ca.pem this field can i use trusted root certificate for generating production certificate (or) any other method is there for generating production using trusted root certificate ?

Thank You 

   Vasu

  

        

  • 0
    TI__Mastermind 38980 points

    Hi Vasu,

    These answers are in the Wi-Fi Certificate Handling guide. Please read this document for more details.

    1) You will have to buy from a certificate authority.

    2) Details on expiration are given in the Certificate Types section.

    3) There are different types of certificates for code signing and TLS/SSL. Please see the Certificate Types section.

    4) You cannot create your own certificate for code signing (I'm assuming this is what you mean by production certificate).

    Best regards,

    Sarah

  • 0 in reply to Sarah P
    Expert 1675 points

    Hi Sarah Pelosi,

    Thank you for your reply,

       Finally i understand something if anything went wrong means please correct me

         1) I need to buy Code Signing Certificate from ti recommenced certificate authority correct.

                    - First i need to generate private key  RSA only of lengths 1024 or 2048 (openssl make the CSR and key).

                         > openssl req -newkey rsa:2048 -sha256 -nodes -keyout out.key -out out.csr  //but here generating .key format not .pem format can i convert .key to .pem format ? 

                   - After generated this certificate i need to give this certificate for signing certificate authority(Ex : digicert.com)

                   - They will give server cert, intermediate cert and root certificate // What is the purpose of intermediate cert ?

                   - In uniflash production  mode when adding mcu.bin image that time i need add my generated Private-key.pem and signing ca-cert.pem (or) .der certificate.

                   - After added mcu image should be add root-ca file(Ex : DigiCert Global Root CA with same name  certificate authority given).

                   - Please correct me this is correct procedure (or) anything wrong.

          2) Can i use this certificate for OTA, means signing mcu image using signed certificate and below command for create OTA image ?

                   - The following is an example of openssl command for generating EC private key

                         openssl ecparam -name prime256v1 -genkey -out ota_vendor_key.pem.

                  - To create a public certificate from this key, use the following

                         openssl req -new -x509 -key ota_vendor_key.pem -out ota_vendor_cert.pem -days 730

          3) Suppose if i buy certificate for one year after one year certificate will expire but in CC3220SF certificate validate on booting process that time don't know RTC time certificate will work on life time correct. if i want to update new certificate can i use OTA for update new certificate ?

          4) After uploaded trusted certificate can i use openssl certificate for client and server (HTTPS server, MQTT,TCP etc..) ?

          5) If i buy a new SSL/TLS certificate from certificate authority in CC3220SF internal HTTPS can i avoid this Waring ?

                

    Thank you 

       Vasu

  • 0 in reply to dhevan G
    TI__Guru 63006 points

    Hi Vasu,

    1.  - The key (as a result of the openssl req command you specified) should be the textual PEM format. What format do you get?

    Your certificate will not be signed by the root CA directly but by an intermediate certificate authority. The Intermediate Certificate Authorities (which can be the original root CA or a third party)  distributes the handling of a root certificate. The result is a chain that starts with the root CA and ends with your user certificate.

    The main thing when choosing the intermediate CA is to make sure it is based on one of the root certificates in the CC3220 catalog (this will be true for most of the cases, since we support the most common root certificates).

    Before adding the MCU image, you should have the entire certificate chain in the file system (each certificate in a separate der-formatted file, all but the user certificate should be named exactly as the certificate "common name"), then use your private key as the signature key and select the certificate name as your user certificate (e.g. ca-cert.der).

    2 - The OTA image signature (in opposed to the signature of individual files, such as the MCU image. within the OTA image) is not verified against the CC3220 catalog and so you can use any private key and certificate created with the openssl commands you mentioned.

    The individual files with the image can be signed with the same key you used for the Code Signing (answer 1 above). Make sure that the entire certificate chain is written to the file system.

    3. For code signing we are not checking the date, so your 1-year certificate will work even after the date expires.

    The OTA can be used to update the certificates.

    4. You can private or CA-signed SSL certificate for TLS/SSL.

    5. If you use a server certificate signed by one of the valid root CA, the browser warning should be avoided.

    Br,

    Kobi

       

     

  • 0 in reply to Kobi Leibovitch
    Expert 1675 points

    Hi Kobi Leibovitch,

       Thank you for reply,

           Thank you for your brief explanation this is really useful for me.

    1)  Last doubt using openssl generating .key format private key.

               openssl req -newkey rsa:2048 -sha256 -nodes -keyout out.key -out out.csr // this command generating out.key file.

          Can you tell me proper private key generating command for buying Code Signing Certificate.

    Thank you

      Vasu 

  • 0 in reply to dhevan G
    TI__Guru 63006 points

    Hi Vasu,

    The "out.key" contains your private key which you should keep safe.
    The "out.csr" is another product of this command. This "Certificate Signing Request" is the only file you should provide to the certificate authority. In return, you should get your user (public) certificate that corresponds with your private key ("out.key").

    Br,
    Kobi

  • 0 in reply to Kobi Leibovitch
    Expert 1675 points
    Hi Kobi Leibovitch

    Thank you for your brief explanation.

    Can i use openssl command for converting .key format to .pem ?

    Thank you
    vasu
  • 0 in reply to dhevan G
    TI__Guru 63006 points

    The “.key” is just a file extension we used in our example.

    The format of the file is PEM (you can open and verify this with simple text  editor).

    You can rename it differently if you prefer. The cc32xx doesn’t check the file extension but the actual format of its content (note that intermediate and root CA certificate files should be named according to their “common name” without der/pem extension).

    Br,

    Kobi