• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 383 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

CC3220SF: SL_ERROR_BSD_ESEC_ASN_NO_SIGNER_E (-688)

CC3220S-LAUNCHXL: When will there be a NWP service pack that adds the Starfield root cert to the NWP cert bundle?

Albert Straub
Prodigy 40 points
Part Number: CC3220S-LAUNCHXL

Hi!

In order to eliminate a lot of confusion, would it not be possible to add the Starfield root cert to the certificate bundle in the NWP?  I would think that there will be quite a few people using the AWS back-end for their services.

Al

  • 0
    TI__Mastermind 40965 points

    Hi Al,

    The Starfield Class 2 Certification Authority root ca cert is present in the root ca cert catalog. It was added in the v.3.10.00.04 release of the CC32xx SDK. You can find the full list of root CAs included in the catalog within the tools/cc32xx_tools/certificate-catalog/readme.html file of your CC32xx SDK.

    It is important to note that the root ca cert catalog does not have the full contents of each certificate, as this would take up substantial amounts of the external flash storage. Instead, only the hash of each root ca certificate is stored in the catalog. As such, it is required that you provide the full certificate to the CC32xx when it is needed for certificate chain verification. This is the case for not only the Starfield certificate needed for the AWS-ATS connections, but for any TLS connection regardless of the root CA cert used by the server's cert chain.

    Let me know if you need more clarification on why the Starfield root CA cert is needed, or if you have any further questions on this topic.

    Regards,

    Michael

  • 0 in reply to Michael Reymond
    Prodigy 40 points

    Thank you Michael.  Perhaps it is a misunderstanding on the part of AWS as the required certificate does not appear to be present at their amazontrust.com/repository site.  They do have a -G2 certificate but that appears not to work as well.    I asked around internally and one of our engineers found this cert on the web that seems to work.  It would be good if AWS would highlight which cert on the repository site is needed for embedded apps.

    -----BEGIN CERTIFICATE-----                                                                                             MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF                                                        ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6                                                        b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL                                                        MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv                                                        b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj                                                        ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM                                                        9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw                                                        IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6                                                        VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L                                                        93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm                                                        jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC                                                        AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA                                                        A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI                                                        U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs                                                        N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv                                                        o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU                                                        5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy                                                        rqXRfboQnoZsG4q5WTP468SQvvG5                                                                                            -----END CERTIFICATE-----

  • 0 in reply to Albert Straub
    TI__Mastermind 40965 points

    Hi,

    The CC3220 needing to use the Starfield Class 2 Certificate Authority is a bit unusual. When a server cert chain is presented to a client device for verification, there are a couple of ways this is done. Typically, the client will traverse up the cert chain until it hits a certificate that is present in its catalog of trusted CA certs. Thus, if the Amazon CA cert is trusted by the client then it will only need to have that cert available locally, since using the Amazon CA cert is sufficient to verify the certificate chain.

    However, the CC3220 operates a bit differently. What happens is that is will traverse the chain until it gets to the top-level cert, even if one of the intermediate certs happens to be a certificate that is present in its trusted root CA store. Normally, this behavior will not result in different results when compared to the first method, since typically only the last cert in a cert chain is a trusted root CA cert. If the Amazon Root CA was not cross-signed, then there would be no issue with simply providing the Amazon Root CA cert.

    However, since the Amazon Root CA cert is cross-signed, what happens is that to the CC3220 it appears that the Amazon Root CA is not the top-level cert. Instead, the TLS stack sees that the Starfield Class 2 Certificate Authority cert is the top-level root CA cert. That is why the Starfield Class 2 Certificate Authority cert is the root CA cert required for cert chain verification.

    Since this behavior of the CC3220 is not common, it is understandable that Amazon does not highlight or point out what cert is needed, since in the majority of cases having the Amazon Root CA cert is correct. 

    Let me know if you need more clarification on why that is the case.

    Regards,

    Michael