Non-volatile memory Configuration MQTT Client TLS Options
March 25, 2024 at 8:45 AMOptions for MQTTS connection (MQTT over TLS)
Address : 0288 (bank 2, register 88)
Size : 5 bytes
Default : 0000000000
Content
Byte 0 : Settings
| Bit | Role | Values |
|---|---|---|
| 7 | RFU | |
| 6 | How is the verification of the Server’s certificate performed? | 0 : Public key only - Another certificate could be accepted, provided that it belongs to the same key1 : Exact - The certificate exposed by the Server shall be exactly the one known by the product |
| 5-4 | How to handle the Server’s certificate | 0 : Accept any (trust all certificates)1 : Verify Server2 : Verify CA (no chaining)3 : Verify PKI (CA with chaining) |
| 3 | RFU | |
| 2 | Enable or disable verification of the CN (Server Name) in the Server’s certificate | 0 : Accept any CN in the Server’s certificate1 : Verify that the CN in the Server’s certificate matches its Server Name |
| 1 | Enable or disable SNI (Server Name Indication) in TLS handshake | 0 : SNI is disabled1 : SNI is enabled |
| 0 | Enable or disable TLS | 0 : TLS is disabled (all other settings in this register are ignored)1 : TLS is enabled |
Byte 1 : Server or Server CA certificate
| Bit | Role | Values |
|---|---|---|
| 7-4 | RFU | |
| 3-0 | Index of the CA’s or Server’s certificate | 0 : Certificate 0 (user)1 : Certificate 1 (user)2 : Certificate 2 (user)3 : Certificate 3 (user)4 : Certificate 4 (user)5 : Certificate 5 (user)6 : Certificate 6 (user)7 : Certificate 7 (user)8 : Certificate 8 (user/out of factory: SpringCard MQTT)9 : Certificate 9 (user/out of factory: AWS MQTT)10 : Certificate A (Direct)11 : Certificate B (Secure messaging)12 : Certificate C (TLS server)13 : Certificate D (TLS client)14 : Certificate E (CA SpringCard Device, server)15 : Certificate F (CA SpringCard Device, client) |
Byte 2 : Client certificate
| Bit | Role | Values |
|---|---|---|
| 7 | Enable or disable the Client Authentication | 0 : TLS Client Auth is disabled1 : TLS Client Auth is enabled |
| 6-4 | RFU | |
| 3-0 | Index of the Client’s certificate | 0 : Certificate 0 (user)1 : Certificate 1 (user)2 : Certificate 2 (user)3 : Certificate 3 (user)4 : Certificate 4 (user)5 : Certificate 5 (user)6 : Certificate 6 (user)7 : Certificate 7 (user)8 : Certificate 8 (user/out of factory: SpringCard MQTT)9 : Certificate 9 (user/out of factory: AWS MQTT)10 : Certificate A (Direct)11 : Certificate B (Secure messaging)12 : Certificate C (TLS server)13 : Certificate D (TLS client)14 : Certificate E (CA SpringCard Device, server)15 : Certificate F (CA SpringCard Device, client) |
Remarks
Bits 3-0: Index of the Client’s certificate
The certificat must match the private key stored defined in byte 3
Byte 3 : Client private key
| Bit | Role | Values |
|---|---|---|
| 7-6 | Which Secure Elements contains the Client’s private key | 0 : Raw (private key is stored in the NVM - DO NOT USE)1 : ATECC2 : RFU (ECC)3 : RFU (RSA) |
| 5-4 | RFU | |
| 3-0 | Index of the Client’s private key | 0 : Key at index 0 (ATECC: user key)1 : Key at index 1 (ATECC: user key)2 : Key at index 2 (ATECC: user key)3 : Key at index 3 (ATECC: user key)4 : Key at index 4 (ATECC: user key)5 : Key at index 5 (ATECC: user key)6 : Key at index 6 (ATECC: user key)7 : Key at index 7 (ATECC: user key)8 : Key at index 8 (ATECC: user key)9 : Key at index 9 (ATECC: user key)10 : Key at index A (ATECC: key associated to Certificate A)11 : Key at index B (ATECC: key associated to Certificate B)12 : Key at index C (ATECC: key associated to Certificate C)13 : Key at index D (ATECC: key associated to Certificate D)14 : Key at index E (ATECC: non-existing key)15 : Key at index F (ATECC: non-existing key) |
Byte 4 : Client CA certificate
| Bit | Role | Values |
|---|---|---|
| 7 | Chain the CA certificate with the client certificate | 0 : Don’t chain CA certicate with client certificate1 : Chain CA certificate with client certificate |
| 6-4 | RFU | |
| 3-0 | Index of the Client CA certificate | 0 : Certificate 0 (user)1 : Certificate 1 (user)2 : Certificate 2 (user)3 : Certificate 3 (user)4 : Certificate 4 (user)5 : Certificate 5 (user)6 : Certificate 6 (user)7 : Certificate 7 (user)8 : Certificate 8 (user/out of factory: SpringCard MQTT)9 : Certificate 9 (user/out of factory: AWS MQTT)10 : Certificate A (Direct)11 : Certificate B (Secure messaging)12 : Certificate C (TLS server)13 : Certificate D (TLS client)14 : Certificate E (CA SpringCard Device, server)15 : Certificate F (CA SpringCard Device, client) |