Appendixes PKI keys and certificates TLS client with MQTT Device certificate and public key
April 13, 2023 at 2:40 AMDevice’s certificate and public key
SpringCoreSE is the command-line tool that gives access to all the PKI and cryptographic features of the SpringCore device. Please refer to docs.springcard.com/books/Tools/SpringCore/SpringCoreSE for reference.
To work with certificates and public key, OpenSSL is the tool. There are many tutorial on the web, for instance OpenSSL PKI Tutorial at readthedocs.io.
0D
)
Read ECC public key 13 (> SpringCoreSE atecc 13 getpub <PUBLIC KEY FILE> [DEVICE CONNECTION STRING]
Have a look over the public key:
> cat <PUBLIC KEY FILE>
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6sEYGlc4Cql7jrXhke81ZLvKMPC+
sKZdZJdqj1XZn4irGzMokqRK2PKO80xk7forIuzbnlw3OfVKM+NvPeGo0g==
-----END PUBLIC KEY-----
Dump the public key using OpenSSL:
> openssl ec -noout -text -inform PEM -in <PUBLIC KEY FILE> -pubin
read EC key
Public-Key: (256 bit)
pub:
04:ea:c1:18:1a:57:38:0a:a9:7b:8e:b5:e1:91:ef:
35:64:bb:ca:30:f0:be:b0:a6:5d:64:97:6a:8f:55:
d9:9f:88:ab:1b:33:28:92:a4:4a:d8:f2:8e:f3:4c:
64:ed:fa:2b:22:ec:db:9e:5c:37:39:f5:4a:33:e3:
6f:3d:e1:a8:d2
ASN1 OID: prime256v1
NIST CURVE: P-256
0D
)
Read X509 certificate 13 (> SpringCoreSE x509 getcrt 13 <CERTIFICATE FILE> [DEVICE CONNECTION STRING]
Have a look over the certificate:
> cat <CERTIFICATE FILE>
-----BEGIN CERTIFICATE-----
MIIChTCCAW0CBBYFGXQwDQYJKoZIhvcNAQELBQAwbjELMAkGA1UEBhMCRlIxFjAU
BgNVBAgMDUlsZS1kZS1GcmFuY2UxEzARBgNVBAoMClNwcmluZ0NhcmQxEzARBgNV
BAsMClNwcmluZ0NvcmUxHTAbBgNVBAMMFFNwcmluZ0NvcmUgQ2xpZW50IENBMCAX
DTIxMDEyMjA5MTQyOFoYDzIwNTEwMzA2MDkxNDI4WjBpMQswCQYDVQQGEwJGUjEW
MBQGA1UECAwNSWxlLWRlLUZyYW5jZTETMBEGA1UECgwKU3ByaW5nQ2FyZDEaMBgG
A1UECwwRU3ByaW5nQ29yZSBDbGllbnQxETAPBgNVBAMMCDE2MDUxOTc0MFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAE6sEYGlc4Cql7jrXhke81ZLvKMPC+sKZdZJdq
j1XZn4irGzMokqRK2PKO80xk7forIuzbnlw3OfVKM+NvPeGo0jANBgkqhkiG9w0B
AQsFAAOCAQEATPSldcSlOIdGOQHFmHqury5PYS0XcKML/iNPGvcOnEhGzKrfNYRc
VXLZmn4uQwOVsc4fGRBhj+HiNQkole/KiKMv7TQuSdwwcvOmctgyNki4yUCkmjxs
QQVNgeDllTls0ty2d37TJCnm7ZZS+/G1tqra1QFM9VaXSvmD8uoJfib99gpa+8hV
rfRZVq7be5XWaFIAYSuQ53lEQbXdgwDZkcC/uYP2e4AFY3ja13jvA0R19UOcaxRS
HF/aS0IXBzbJGqqtPuqgklzpHWGVGOXoR1rC6iFGoppsIF4n4VtKbtXaVtGmoo5z
lUQ4YFhvyaXCP2fBGazuyfvnUzTdBpfN1Q==
-----END CERTIFICATE-----
Dump the certificate using OpenSSL:
> openssl x509 -noout -text -in <CERTIFICATE FILE>
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 369432948 (0x16051974)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore, CN = SpringCore Client CA
Validity
Not Before: Jan 22 09:14:28 2021 GMT
Not After : Mar 6 09:14:28 2051 GMT
Subject: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore Client, CN = 16051974
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ea:c1:18:1a:57:38:0a:a9:7b:8e:b5:e1:91:ef:
35:64:bb:ca:30:f0:be:b0:a6:5d:64:97:6a:8f:55:
d9:9f:88:ab:1b:33:28:92:a4:4a:d8:f2:8e:f3:4c:
64:ed:fa:2b:22:ec:db:9e:5c:37:39:f5:4a:33:e3:
6f:3d:e1:a8:d2
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: sha256WithRSAEncryption
4c:f4:a5:75:c4:a5:38:87:46:39:01:c5:98:7a:ae:af:2e:4f:
61:2d:17:70:a3:0b:fe:23:4f:1a:f7:0e:9c:48:46:cc:aa:df:
35:84:5c:55:72:d9:9a:7e:2e:43:03:95:b1:ce:1f:19:10:61:
8f:e1:e2:35:09:28:95:ef:ca:88:a3:2f:ed:34:2e:49:dc:30:
72:f3:a6:72:d8:32:36:48:b8:c9:40:a4:9a:3c:6c:41:05:4d:
81:e0:e5:95:39:6c:d2:dc:b6:77:7e:d3:24:29:e6:ed:96:52:
fb:f1:b5:b6:aa:da:d5:01:4c:f5:56:97:4a:f9:83:f2:ea:09:
7e:26:fd:f6:0a:5a:fb:c8:55:ad:f4:59:56:ae:db:7b:95:d6:
68:52:00:61:2b:90:e7:79:44:41:b5:dd:83:00:d9:91:c0:bf:
b9:83:f6:7b:80:05:63:78:da:d7:78:ef:03:44:75:f5:43:9c:
6b:14:52:1c:5f:da:4b:42:17:07:36:c9:1a:aa:ad:3e:ea:a0:
92:5c:e9:1d:61:95:18:e5:e8:47:5a:c2:ea:21:46:a2:9a:6c:
20:5e:27:e1:5b:4a:6e:d5:da:56:d1:a6:a2:8e:73:95:44:38:
60:58:6f:c9:a5:c2:3f:67:c1:19:ac:ee:c9:fb:e7:53:34:dd:
06:97:cd:d5
You may verify the following assertions:
- The public key exposed by the certificate is actually the public key returned by the SE (while the private key is kept totally secret),
- The complete subject of the certificate is
C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore Client,CN=
Serial Number of the Device - The certificate has been issued by
C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore,CN=SpringCore Client CA
- The Serial Number of the Certificate is equal to the Serial Number of the Device.
CA certificate
The certificate of C=FR,ST=Ile-de-France,O=SpringCard,OU=SpringCore,CN=SpringCore Client CA
is stored in slot 15 (0F
). It is easy to retrieve it as follow:
> SpringCoreSE x509 getcrt 15 SpringCard-SpringCore-Client.crt [DEVICE CONNECTION STRING]
Here’s the dump, for reference:
> openssl x509 -noout -text -in SpringCard-SpringCore-Client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4125 (0x101d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Ile-de-France, L = Palaiseau, O = SpringCard, OU = SpringCore, CN = SpringCore Root CA
Validity
Not Before: Jan 21 15:14:24 2021 GMT
Not After : Mar 5 15:14:24 2051 GMT
Subject: C = FR, ST = Ile-de-France, O = SpringCard, OU = SpringCore, CN = SpringCore Client CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:fc:68:9b:40:22:1a:c5:9d:ea:3f:6e:a8:ec:
f2:02:1e:7e:cd:00:9c:f7:1f:08:82:2f:af:35:2b:
ea:82:8c:40:0f:88:e9:fd:a4:6a:b7:7f:04:4c:b5:
c8:40:60:0e:c1:30:3f:e2:b6:98:7e:e1:83:cb:81:
8c:06:fb:92:73:de:89:d2:34:93:62:71:59:48:1e:
df:bb:82:2d:e8:65:03:a3:93:d2:4a:29:24:e8:49:
dc:58:41:f7:a4:55:d8:9e:2f:7f:7e:d5:54:ec:ac:
18:4b:d8:6f:21:93:ee:a4:65:c5:73:3c:bd:98:be:
c7:a0:84:4f:ec:ad:d5:57:04:17:6e:e7:87:5b:cc:
86:02:a6:11:10:cc:ca:5c:4b:0d:f5:3b:ae:7c:7e:
29:9e:82:aa:8b:6f:03:9e:5e:0e:e9:cf:8b:61:2f:
5f:06:af:79:4b:96:e4:d6:fa:48:8c:df:19:97:42:
3b:02:ad:8d:04:63:40:e5:d1:f5:0e:e4:cd:28:80:
a5:ce:29:2d:81:db:39:67:aa:aa:ba:eb:62:46:59:
63:19:7e:22:d2:5f:cf:f4:26:f7:a3:be:47:9d:83:
0d:74:0b:58:81:ad:2c:b4:e8:93:8b:3e:7c:ee:88:
12:48:b8:95:2d:6c:70:b1:3f:10:c5:68:71:54:96:
cf:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F3:83:F9:7A:C9:F5:51:B4:3E:28:59:03:F1:2E:6C:DD:8C:47:5B:BC
X509v3 Authority Key Identifier:
keyid:85:68:31:AE:D2:3F:4A:C4:E2:2B:0B:06:20:88:C5:93:A5:DD:92:54
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
a7:40:e8:09:88:40:a6:28:84:30:ab:c4:b9:d8:8d:a3:9e:da:
de:43:68:18:b9:ea:fb:7d:58:8d:5e:ad:09:52:d4:9e:f4:53:
57:41:5f:8c:23:11:ba:3e:bd:27:00:a5:82:82:04:c6:95:f0:
73:bb:b7:c6:33:af:98:6f:11:2e:91:3a:12:72:85:7c:4a:0d:
47:bc:b9:37:dd:ee:df:57:7c:56:7a:24:10:c6:8e:1e:c8:d4:
d1:e2:dd:d5:55:f3:13:c9:95:e4:da:45:b5:99:e2:46:56:1c:
84:f6:fb:68:df:04:d6:a7:c3:0e:5c:e1:26:35:b4:b4:6f:14:
4d:1d:0e:4f:d2:18:bd:de:5e:03:5a:4e:54:ac:8a:2c:dd:2a:
25:1a:47:96:40:29:f3:b6:c0:27:f5:53:6e:69:c6:f3:a1:1d:
ab:d3:11:fd:1b:7e:b5:c9:10:6f:36:cf:83:b8:25:29:d9:30:
17:ec:16:c0:82:20:b5:4b:43:bf:4a:db:94:35:33:48:8b:f7:
9b:d2:52:6c:3d:53:11:a5:9f:b7:f2:31:a2:9e:13:75:6f:1e:
1b:9c:32:73:02:6c:c0:6a:4c:e6:df:e1:70:d2:7f:82:98:8f:
a7:a4:93:9b:1e:48:aa:b0:5c:b7:57:ab:bc:d7:ee:9d:67:16:
c0:84:50:45
You may also download this certificate here: SpringCard-SpringCore-Client.crt.