Options for MQTTS connection (MQTT over TLS)

Address : 0288 (bank 2, register 88)

Size : 5 bytes

Default : 0000000000

Content

Byte 0 : Settings

Bit    Role Values
7 RFU
6 How is the verification of the Server’s certificate performed? 0 : Public key only - Another certificate could be accepted, provided that it belongs to the same key
1 : Exact - The certificate exposed by the Server shall be exactly the one known by the product
5-4 How to handle the Server’s certificate 0 : Accept any (trust all certificates)
1 : Verify Server
2 : Verify CA (no chaining)
3 : Verify PKI (CA with chaining)
3 RFU
2 Enable or disable verification of the CN (Server Name) in the Server’s certificate 0 : Accept any CN in the Server’s certificate
1 : Verify that the CN in the Server’s certificate matches its Server Name
1 Enable or disable SNI (Server Name Indication) in TLS handshake 0 : SNI is disabled
1 : SNI is enabled
0 Enable or disable TLS 0 : TLS is disabled (all other settings in this register are ignored)
1 : TLS is enabled

Byte 1 : Server or Server CA certificate

Bit    Role Values
7-4 RFU
3-0 Index of the CA’s or Server’s certificate 0 : Certificate 0 (user)
1 : Certificate 1 (user)
2 : Certificate 2 (user)
3 : Certificate 3 (user)
4 : Certificate 4 (user)
5 : Certificate 5 (user)
6 : Certificate 6 (user)
7 : Certificate 7 (user)
8 : Certificate 8 (user/out of factory: SpringCard MQTT)
9 : Certificate 9 (user/out of factory: AWS MQTT)
10 : Certificate A (Direct)
11 : Certificate B (Secure messaging)
12 : Certificate C (TLS server)
13 : Certificate D (TLS client)
14 : Certificate E (CA SpringCard Device, server)
15 : Certificate F (CA SpringCard Device, client)

Byte 2 : Client certificate

Bit    Role Values
7 Enable or disable the Client Authentication 0 : TLS Client Auth is disabled
1 : TLS Client Auth is enabled
6-4 RFU
3-0 Index of the Client’s certificate 0 : Certificate 0 (user)
1 : Certificate 1 (user)
2 : Certificate 2 (user)
3 : Certificate 3 (user)
4 : Certificate 4 (user)
5 : Certificate 5 (user)
6 : Certificate 6 (user)
7 : Certificate 7 (user)
8 : Certificate 8 (user/out of factory: SpringCard MQTT)
9 : Certificate 9 (user/out of factory: AWS MQTT)
10 : Certificate A (Direct)
11 : Certificate B (Secure messaging)
12 : Certificate C (TLS server)
13 : Certificate D (TLS client)
14 : Certificate E (CA SpringCard Device, server)
15 : Certificate F (CA SpringCard Device, client)

Remarks

Bits 3-0: Index of the Client’s certificate

The certificat must match the private key stored defined in byte 3

Byte 3 : Client private key

Bit    Role Values
7-6 Which Secure Elements contains the Client’s private key 0 : Raw (private key is stored in the NVM - DO NOT USE)
1 : ATECC
2 : RFU (ECC)
3 : RFU (RSA)
5-4 RFU
3-0 Index of the Client’s private key 0 : Key at index 0 (ATECC: user key)
1 : Key at index 1 (ATECC: user key)
2 : Key at index 2 (ATECC: user key)
3 : Key at index 3 (ATECC: user key)
4 : Key at index 4 (ATECC: user key)
5 : Key at index 5 (ATECC: user key)
6 : Key at index 6 (ATECC: user key)
7 : Key at index 7 (ATECC: user key)
8 : Key at index 8 (ATECC: user key)
9 : Key at index 9 (ATECC: user key)
10 : Key at index A (ATECC: key associated to Certificate A)
11 : Key at index B (ATECC: key associated to Certificate B)
12 : Key at index C (ATECC: key associated to Certificate C)
13 : Key at index D (ATECC: key associated to Certificate D)
14 : Key at index E (ATECC: non-existing key)
15 : Key at index F (ATECC: non-existing key)

Byte 4 : Client CA certificate

Bit    Role Values
7 Chain the CA certificate with the client certificate 0 : Don’t chain CA certicate with client certificate
1 : Chain CA certificate with client certificate
6-4 RFU
3-0 Index of the Client CA certificate 0 : Certificate 0 (user)
1 : Certificate 1 (user)
2 : Certificate 2 (user)
3 : Certificate 3 (user)
4 : Certificate 4 (user)
5 : Certificate 5 (user)
6 : Certificate 6 (user)
7 : Certificate 7 (user)
8 : Certificate 8 (user/out of factory: SpringCard MQTT)
9 : Certificate 9 (user/out of factory: AWS MQTT)
10 : Certificate A (Direct)
11 : Certificate B (Secure messaging)
12 : Certificate C (TLS server)
13 : Certificate D (TLS client)
14 : Certificate E (CA SpringCard Device, server)
15 : Certificate F (CA SpringCard Device, client)