Appendixes PKI keys and certificates

April 13, 2023 at 2:40 AM

PKI keys and certificates

ECC keys

SpringCore devices featuring a ECC Secure Element have the ability to store and use ECC private keys (all keys use the P-256 curve).

The private keys can be used to authenticate the device and/or to establish TLS (Transport Layer Security) communication channels. To do so, they have to be associated to an X509 certificate that the remote peer will validate against its PKI (Public Key Infrastructure) policy and trusted Certificate Authorities (CA).

There are 14 private keys in the device, numbered 0 to 13 (0D).

  • ECC private keys 10 to 13 (0A to 0D) are generated inside the device in factory and not changeable afterwards.
  • ECC private keys 0 to 9 (00 to 09) are not populated when the device leaves the factory. Depending on the application, the integrator may either have the device generate the new key internally, or an externally-generated key may be downloaded into the device’s ATECC. Use SpringCoreSE to do so.

X509 certificates

The SpringCore devices also feature a Certificate Store to store up to 16 certificates (see details in the mapping).

Certificates 10 to 15 (0A to 0F) are defined in factory and can’t be modified afterwards.

  • Certificate 10 to 13 (0A to 0D) are the certificates for the corresponding ECC private keys, computed by 4 CAs (one for every usage).
  • Certificates 14 and 15 (0E and 0F) are the certificate for two of the said CAs.
  • Certificate 0 to 9 (00 to 09) are freely usable by integrators and developers. They could either store a customer-defined certificate for the device, or the certificates of the servers or PKI infrastructure the device will be client of. Use SpringCoreSE (or maybe SpringCoreConfig) to do so. For convenience, certificates 7, 8 and 9 (07, 08 and 09) are populated in factory, by they could be overwritten with no impact on the device.

Implementing a secure solution using TLS and PKI

Put all together, ECC keys, X509 certificates and the MQTT+TLS client make it possible to connect the SpringCore device to the Cloud securely.

The following chapters are a step-by-step howto to do so.

Customer keys and certificates

Please contact SpringCard for advanced support and/or consultancy service should you plan to use SpringCore devices with your own PKI.

SpringCard technical experts are able to help you design and validate your system’s architecture with a focus on the security scheme. Your own certificates could be inserted by SpringCard in factory to ease provisioning and deployment.