Appendixes PKI keys and certificates TLS client with MQTT Device certificate and public key
April 13, 2023 at 2:40 AMDevice’s certificate and public key
SpringCoreSE is the command-line tool that gives access to all the PKI and cryptographic features of the SpringCore device. Please refer to docs.springcard.com/books/Tools/SpringCore/SpringCoreSE for reference.
To work with certificates and public key, OpenSSL is the tool. There are many tutorial on the web, for instance OpenSSL PKI Tutorial at readthedocs.io.
Read ECC public key 13 (0D)
> SpringCoreSE atecc 13 getpub <PUBLIC KEY FILE> [DEVICE CONNECTION STRING]
Have a look over the public key:
> cat <PUBLIC KEY FILE>
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6sEYGlc4Cql7jrXhke81ZLvKMPC+
sKZdZJdqj1XZn4irGzMokqRK2PKO80xk7forIuzbnlw3OfVKM+NvPeGo0g==
-----END PUBLIC KEY-----
Dump the public key using OpenSSL:
> openssl ec -noout -text -inform PEM -in <PUBLIC KEY FILE> -pubin
read EC key
Public-Key: (256 bit)
pub:
04:ea:c1:18:1a:57:38:0a:a9:7b:8e:b5:e1:91:ef:
35:64:bb:ca:30:f0:be:b0:a6:5d:64:97:6a:8f:55:
d9:9f:88:ab:1b:33:28:92:a4:4a:d8:f2:8e:f3:4c:
64:ed:fa:2b:22:ec:db:9e:5c:37:39:f5:4a:33:e3:
6f:3d:e1:a8:d2
ASN1 OID: prime256v1
NIST CURVE: P-256
Read X509 certificate 13 (0D)
> SpringCoreSE x509 getcrt 13 <CERTIFICATE FILE> [DEVICE CONNECTION STRING]
Have a look over the certificate:
> cat <CERTIFICATE FILE>
-----BEGIN CERTIFICATE-----
MIIChTCCAW0CBBYFGXQwDQYJKoZIhvcNAQELBQAwbjELMAkGA1UEBhMCRlIxFjAU
BgNVBAgMDUlsZS1kZS1GcmFuY2UxEzARBgNVBAoMClNwcmluZ0NhcmQxEzARBgNV
BAsMClNwcmluZ0NvcmUxHTAbBgNVBAMMFFNwcmluZ0NvcmUgQ2xpZW50IENBMCAX
DTIxMDEyMjA5MTQyOFoYDzIwNTEwMzA2MDkxNDI4WjBpMQswCQYDVQQGEwJGUjEW
MBQGA1UECAwNSWxlLWRlLUZyYW5jZTETMBEGA1UECgwKU3ByaW5nQ2FyZDEaMBgG
A1UECwwRU3ByaW5nQ29yZSBDbGllbnQxETAPBgNVBAMMCDE2MDUxOTc0MFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAE6sEYGlc4Cql7jrXhke81ZLvKMPC+sKZdZJdq
j1XZn4irGzMokqRK2PKO80xk7forIuzbnlw3OfVKM+NvPeGo0jANBgkqhkiG9w0B
AQsFAAOCAQEATPSldcSlOIdGOQHFmHqury5PYS0XcKML/iNPGvcOnEhGzKrfNYRc
VXLZmn4uQwOVsc4fGRBhj+HiNQkole/KiKMv7TQuSdwwcvOmctgyNki4yUCkmjxs
QQVNgeDllTls0ty2d37TJCnm7ZZS+/G1tqra1QFM9VaXSvmD8uoJfib99gpa+8hV
rfRZVq7be5XWaFIAYSuQ53lEQbXdgwDZkcC/uYP2e4AFY3ja13jvA0R19UOcaxRS
HF/aS0IXBzbJGqqtPuqgklzpHWGVGOXoR1rC6iFGoppsIF4n4VtKbtXaVtGmoo5z
lUQ4YFhvyaXCP2fBGazuyfvnUzTdBpfN1Q==
-----END CERTIFICATE-----
Dump the certificate using OpenSSL:
> openssl x509 -noout -text -in <CERTIFICATE FILE>
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 369432948 (0x16051974)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore, CN = SpringCore Client CA
Validity
Not Before: Jan 22 09:14:28 2021 GMT
Not After : Mar 6 09:14:28 2051 GMT
Subject: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore Client, CN = 16051974
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ea:c1:18:1a:57:38:0a:a9:7b:8e:b5:e1:91:ef:
35:64:bb:ca:30:f0:be:b0:a6:5d:64:97:6a:8f:55:
d9:9f:88:ab:1b:33:28:92:a4:4a:d8:f2:8e:f3:4c:
64:ed:fa:2b:22:ec:db:9e:5c:37:39:f5:4a:33:e3:
6f:3d:e1:a8:d2
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: sha256WithRSAEncryption
4c:f4:a5:75:c4:a5:38:87:46:39:01:c5:98:7a:ae:af:2e:4f:
61:2d:17:70:a3:0b:fe:23:4f:1a:f7:0e:9c:48:46:cc:aa:df:
35:84:5c:55:72:d9:9a:7e:2e:43:03:95:b1:ce:1f:19:10:61:
8f:e1:e2:35:09:28:95:ef:ca:88:a3:2f:ed:34:2e:49:dc:30:
72:f3:a6:72:d8:32:36:48:b8:c9:40:a4:9a:3c:6c:41:05:4d:
81:e0:e5:95:39:6c:d2:dc:b6:77:7e:d3:24:29:e6:ed:96:52:
fb:f1:b5:b6:aa:da:d5:01:4c:f5:56:97:4a:f9:83:f2:ea:09:
7e:26:fd:f6:0a:5a:fb:c8:55:ad:f4:59:56:ae:db:7b:95:d6:
68:52:00:61:2b:90:e7:79:44:41:b5:dd:83:00:d9:91:c0:bf:
b9:83:f6:7b:80:05:63:78:da:d7:78:ef:03:44:75:f5:43:9c:
6b:14:52:1c:5f:da:4b:42:17:07:36:c9:1a:aa:ad:3e:ea:a0:
92:5c:e9:1d:61:95:18:e5:e8:47:5a:c2:ea:21:46:a2:9a:6c:
20:5e:27:e1:5b:4a:6e:d5:da:56:d1:a6:a2:8e:73:95:44:38:
60:58:6f:c9:a5:c2:3f:67:c1:19:ac:ee:c9:fb:e7:53:34:dd:
06:97:cd:d5
You may verify the following assertions:
- The public key exposed by the certificate is actually the public key returned by the SE (while the private key is kept totally secret),
- The complete subject of the certificate is
C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore Client,CN=Serial Number of the Device - The certificate has been issued by
C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore,CN=SpringCore Client CA - The Serial Number of the Certificate is equal to the Serial Number of the Device.
CA certificate
The certificate of C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore,CN=SpringCore Client CA is stored in slot 15 (0F). It is easy to retrieve it as follow:
> SpringCoreSE x509 getcrt 15 SpringCard-SpringCore-Client.crt [DEVICE CONNECTION STRING]
Here’s the dump, for reference:
> openssl x509 -noout -text -in SpringCard-SpringCore-Client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4125 (0x101d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Ile-de-France, L = Palaiseau, O = SpringCard, OU = SpringCore, CN = SpringCore Root CA
Validity
Not Before: Jan 21 15:14:24 2021 GMT
Not After : Mar 5 15:14:24 2051 GMT
Subject: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore, CN = SpringCore Client CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:fc:68:9b:40:22:1a:c5:9d:ea:3f:6e:a8:ec:
f2:02:1e:7e:cd:00:9c:f7:1f:08:82:2f:af:35:2b:
ea:82:8c:40:0f:88:e9:fd:a4:6a:b7:7f:04:4c:b5:
c8:40:60:0e:c1:30:3f:e2:b6:98:7e:e1:83:cb:81:
8c:06:fb:92:73:de:89:d2:34:93:62:71:59:48:1e:
df:bb:82:2d:e8:65:03:a3:93:d2:4a:29:24:e8:49:
dc:58:41:f7:a4:55:d8:9e:2f:7f:7e:d5:54:ec:ac:
18:4b:d8:6f:21:93:ee:a4:65:c5:73:3c:bd:98:be:
c7:a0:84:4f:ec:ad:d5:57:04:17:6e:e7:87:5b:cc:
86:02:a6:11:10:cc:ca:5c:4b:0d:f5:3b:ae:7c:7e:
29:9e:82:aa:8b:6f:03:9e:5e:0e:e9:cf:8b:61:2f:
5f:06:af:79:4b:96:e4:d6:fa:48:8c:df:19:97:42:
3b:02:ad:8d:04:63:40:e5:d1:f5:0e:e4:cd:28:80:
a5:ce:29:2d:81:db:39:67:aa:aa:ba:eb:62:46:59:
63:19:7e:22:d2:5f:cf:f4:26:f7:a3:be:47:9d:83:
0d:74:0b:58:81:ad:2c:b4:e8:93:8b:3e:7c:ee:88:
12:48:b8:95:2d:6c:70:b1:3f:10:c5:68:71:54:96:
cf:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F3:83:F9:7A:C9:F5:51:B4:3E:28:59:03:F1:2E:6C:DD:8C:47:5B:BC
X509v3 Authority Key Identifier:
keyid:85:68:31:AE:D2:3F:4A:C4:E2:2B:0B:06:20:88:C5:93:A5:DD:92:54
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
a7:40:e8:09:88:40:a6:28:84:30:ab:c4:b9:d8:8d:a3:9e:da:
de:43:68:18:b9:ea:fb:7d:58:8d:5e:ad:09:52:d4:9e:f4:53:
57:41:5f:8c:23:11:ba:3e:bd:27:00:a5:82:82:04:c6:95:f0:
73:bb:b7:c6:33:af:98:6f:11:2e:91:3a:12:72:85:7c:4a:0d:
47:bc:b9:37:dd:ee:df:57:7c:56:7a:24:10:c6:8e:1e:c8:d4:
d1:e2:dd:d5:55:f3:13:c9:95:e4:da:45:b5:99:e2:46:56:1c:
84:f6:fb:68:df:04:d6:a7:c3:0e:5c:e1:26:35:b4:b4:6f:14:
4d:1d:0e:4f:d2:18:bd:de:5e:03:5a:4e:54:ac:8a:2c:dd:2a:
25:1a:47:96:40:29:f3:b6:c0:27:f5:53:6e:69:c6:f3:a1:1d:
ab:d3:11:fd:1b:7e:b5:c9:10:6f:36:cf:83:b8:25:29:d9:30:
17:ec:16:c0:82:20:b5:4b:43:bf:4a:db:94:35:33:48:8b:f7:
9b:d2:52:6c:3d:53:11:a5:9f:b7:f2:31:a2:9e:13:75:6f:1e:
1b:9c:32:73:02:6c:c0:6a:4c:e6:df:e1:70:d2:7f:82:98:8f:
a7:a4:93:9b:1e:48:aa:b0:5c:b7:57:ab:bc:d7:ee:9d:67:16:
c0:84:50:45
You may also download this certificate here: SpringCard-SpringCore-Client.crt.