PKI keys and certificates

Overview

SpringCore devices featuring a ECC Secure Element have the ability to store and use ECC private keys (all keys use the P-256 curve).

The private keys can be used to authenticate the device and/or to establish TLS (Transport Layer Security) communication channels. To do so, they have to be associated to an X509 certificate that the remote peer will validate against its PKI (Public Key Infrastructure) policy and trusted Certificate Authorities (CA).

Manipulation of the device's keys and certificates has to be done using SpringCoreSE and SpringCoreTool command line utilities only, OpenSSL being the basic toolkit for everything else.

ECC keys

There are 14 private keys in the device, numbered 0 to 13 (0D).

  • ECC private keys 10 to 13 (0A to 0D) are generated inside the device in factory and not changeable afterwards.
  • ECC private keys 0 to 9 (00 to 09) are not populated when the device leaves the factory. Depending on the application, the integrator may either have the device generate the new key internally, or an externally-generated key may be downloaded into the device's ATECC. Use SpringCoreSE to do so.

X509 certificates

The device is able to store up to 16 X509 certificates (see details in the mapping).

Certificates 10 to 15 (0A to 0F) are defined in factory and can't be modified afterwards.

  • Certificate 10 to 13 (0A to 0D) are the certificates for the corresponding ECC private keys, computed by 4 CAs (one for every usage).
  • Certificates 14 and 15 (0E and 0F) are the certificate for two of the said CAs.
  • Certificate 0 to 9 (00 to 09) are freely usable by integrators and developers. They could either store a customer-defined certificate for the device, or the certificates of the servers or PKI infrastructure the device will be client of. Use SpringCoreSE (or maybe SpringCoreConfig) to do so. For convenience, certificates 7, 8 and 9 (07, 08 and 09) are populated in factory, by they could be overwritten with no impact on the device.

SpringCore PKI hierarchy

The subject of every certificates actually begins with C=FR,ST=Ile-de-France,L=Palaiseau,O=SpringCard. For the ease of reading, only the OU= and CN= parts are specified in the following paragraphs.

Certificates for the SpringCore devices and the related cloud-based services are structured as follow:

  • The subject of the Root CA is OU=SpringCore,CN=SpringCore Root CA; the self-signed certificate is available here: SpringCard-SpringCore-Root.crt. It is stored in the devices at index 07.
  • The Direct intermediate CA signs the device's certificate used for remote Direct communication. Its subject is OU=SpringCore,CN=SpringCore Direct CA and its certificate is available here: SpringCard-SpringCore-Direct.crt.
  • The Messaging intermediate CA signs the device's certificate used for secure messaging. Its subject is OU=SpringCore,CN=SpringCore Messaging CA and its certificate is available here: SpringCard-SpringCore-Messaging.crt.
  • The Server intermediate CA signs the device's certificate used for operation as TLS server. Its subject is OU=SpringCore,CN=SpringCore Server CA and its certificate is available here: SpringCard-SpringCore-Server.crt. It is stored in the devices at index 0E.
  • The Client intermediate CA signs the device's certificate used for operation as TLS client. Its subject is OU=SpringCore,CN=SpringCore Client CA and its certificate is available here: SpringCard-SpringCore-Client.crt. It is stored in the devices at index 0F.
  • The Cloud intermediate CA signs the certificates of the cloud-based services operating as TLS server. Its subject is OU=SpringCore,CN=SpringCore Cloud CA and its certificate is available here: SpringCard-SpringCore-Cloud.crt.

Keys and certificates loaded in factory

Device's keys and their certificates

ECC private keys are generated in factory; they are associated to certificates 10 to 13 (0A to 0D). None of this keys and certificates can not be changed after the device has been issued.

They are intended for the following usages:

Key / Cert Usage Subject of the certificate Issuer
0A Securing the Direct protocol OU=SpringCore Direct,CN=SerialNumber OU=SpringCore,CN=SpringCore Direct CA
0B Secure Messaging OU=SpringCore Messaging,CN=SerialNumber OU=SpringCore,CN=SpringCore Messaging CA
0C TLS communication when running as a server OU=SpringCore Server,CN=SerialNumber OU=SpringCore,CN=SpringCore Server CA (certificate in slot 0E)
0D TLS communication when running as a client OU=SpringCore Client,CN=SerialNumber OU=SpringCore,CN=SpringCore Client CA (certificate in slot 0F)

Certificates of the CAs used by device's certificates

Certificates 14 and 15 (0E and 0F) are initialized as follow:

Cert Contains Subject of the certificate Issuer
0E Certificate of the CA that has issued certificate 12 (0C) OU=SpringCore,CN=SpringCore Server CA OU=SpringCore,CN=SpringCore Root CA (certificate in slot 07)
0F Certificate of the CA that has issued certificate 13 (0D) OU=SpringCore,CN=SpringCore Client CA OU=SpringCore,CN=SpringCore Root CA (certificate in slot 07)

They can not be changed after the device has been issued.

Other certificates

Certificates 8 and 9 (08 and 0A) are initialized as follow:

Cert Contains Subject of the certificate Issuer
07 Root certificate for all SpringCore-related CAs OU=SpringCore,CN=SpringCore Root CA self
08 Certificate of MQTT server mqtt.springcard.com OU=SpringCore Cloud,CN=mqtt.springcard.com OU=SpringCore,CN=SpringCore Cloud CA
09 Amazon's root certificate (for demos using AWS) C=US,O=Amazon,CN=Amazon Root CA 1 self

They still can be changed even after the device has been issued.

Customer keys and certificates

Please contact SpringCard for advanced support and/or consultancy service should you plan to use SpringCore devices with your own PKI.

SpringCard technical experts are able to help you design and validate your system's architecture with a focus on the security scheme. Your own certificates could be inserted by SpringCard in factory to ease provisioning and deployment.