Secure Elements Certificate Store
April 13, 2023 at 2:40 AMCertificate Store
Overview
SpringCore devices are able to store up to 16 X509 certificates.
X509 certificates are typically used for TLS communication, in two situations:
- Validate the authenticity of the remote server (or remote peer): the SpringCore device verifies that the server’s certificate is valid and authorized using its list of approved certificate authorities,
- Act as a proof that the SpringCore device is genuine and authorized. If this case a client certificate linked to a device-specific ECC key is used (only deviced featuring an ATECC Secure Element offer this feature).
Certificate list
Certificates 10 to 15 (0A to 0F) are defined in factory and can’t be modified afterwards.
- Certificate 10 to 13 (
0Ato0D) are the certificates for the corresponding ECC private keys, computed by SpringCard’s CAs (one for every usage). - Certificates 14 and 15 (
0Eand0F) are the certificate for two of the said CAs. - Certificate 0 to 9 (
00to09) are freely usable by integrators and developers. They could either store a customer-defined certificate for the device, or the certificates of the servers or PKI infrastructure the device will be client of. Use SpringCoreSE (or maybe SpringCoreConfig) to do so. For convenience, certificates 7, 8 and 9 (07,08and09) are populated in factory, by they could be overwritten with no impact on the device.
| Certificate | Out-of-factory content | Remark |
|---|---|---|
00 |
Empty | User-changeable |
01 |
Empty | User-changeable |
02 |
Empty | User-changeable |
03 |
Empty | User-changeable |
04 |
Empty | User-changeable |
05 |
Empty | User-changeable |
06 |
Empty | User-changeable |
07 |
Certificate of SpringCore Root CA | User-changeable |
08 |
Certificate of SpringCard’s test MQTT server | User-changeable |
09 |
Certificate of Amazon Root CA (for AWS IoT Core MQTT demo) | User-changeable |
0A |
Certificate for ATECC key 0A signed by SpringCore Direct CA |
Locked |
0B |
Certificate for ATECC key 0B signed by SpringCore Messaging CA |
Locked |
0C |
Certificate for ATECC key 0C signed by SpringCore Server CA |
Locked |
0D |
Certificate for ATECC key 0D signed by SpringCore Client CA |
Locked |
0E |
Certificate of SpringCore Server CA | Locked |
0F |
Certificate of SpringCore Client CA | Locked |
SpringCore PKI hierarchy
The subject of every certificates actually begins with C=FR,ST=Ile-de-France,L=Palaiseau,O=SpringCard. For the ease of reading, only the OU= and CN= parts are specified in the following paragraphs.
Certificates for the SpringCore devices and the related cloud-based services are structured as follow:
- The subject of the Root CA is
OU=SpringCore,CN=SpringCore Root CA; the self-signed certificate is available here: SpringCard-SpringCore-Root.crt. It is stored in the devices at index07. - The Direct intermediate CA signs the device’s certificate used for remote Direct communication. Its subject is
OU=SpringCore,CN=SpringCore Direct CAand its certificate is available here: SpringCard-SpringCore-Direct.crt. - The Messaging intermediate CA signs the device’s certificate used for secure messaging. Its subject is
OU=SpringCore,CN=SpringCore Messaging CAand its certificate is available here: SpringCard-SpringCore-Messaging.crt. - The Server intermediate CA signs the device’s certificate used for operation as TLS server. Its subject is
OU=SpringCore,CN=SpringCore Server CAand its certificate is available here: SpringCard-SpringCore-Server.crt. It is stored in the devices at index0E. - The Client intermediate CA signs the device’s certificate used for operation as TLS client. Its subject is
OU=SpringCore,CN=SpringCore Client CAand its certificate is available here: SpringCard-SpringCore-Client.crt. It is stored in the devices at index0F. - The Cloud intermediate CA signs the certificates of the cloud-based services operating as TLS server. Its subject is
OU=SpringCore,CN=SpringCore Cloud CAand its certificate is available here: SpringCard-SpringCore-Cloud.crt.
Keys and certificates loaded in factory
Device’s keys and their certificates
ECC private keys are generated in factory; they are associated to certificates 10 to 13 (0A to 0D). None of this keys and certificates can not be changed after the device has been issued.
They are intended for the following usages:
| Key / Cert | Typical usage | Subject of the certificate | Issuer |
|---|---|---|---|
0A |
Securing the Direct protocol | OU=SpringCore Direct,CN=SerialNumber |
OU=SpringCore,CN=SpringCore Direct CA |
0B |
Secure Messaging | OU=SpringCore Messaging,CN=SerialNumber |
OU=SpringCore,CN=SpringCore Messaging CA |
0C |
TLS communication when running as a server | OU=SpringCore Server,CN=SerialNumber |
OU=SpringCore,CN=SpringCore Server CA (certificate in slot 0E) |
0D |
TLS communication when running as a client | OU=SpringCore Client,CN=SerialNumber |
OU=SpringCore,CN=SpringCore Client CA (certificate in slot 0F) |
Certificates of the CAs used by device’s certificates
Certificates 14 and 15 (0E and 0F) are initialized as follow:
| Cert | Contains | Subject of the certificate | Issuer |
|---|---|---|---|
0E |
Certificate of the CA that has issued certificate 12 (0C) |
OU=SpringCore,CN=SpringCore Server CA |
OU=SpringCore,CN=SpringCore Root CA (certificate in slot 07) |
0F |
Certificate of the CA that has issued certificate 13 (0D) |
OU=SpringCore,CN=SpringCore Client CA |
OU=SpringCore,CN=SpringCore Root CA (certificate in slot 07) |
They can not be changed after the device has been issued.
Other certificates
Certificates 8 and 9 (08 and 0A) are initialized as follow:
| Cert | Contains | Subject of the certificate | Issuer |
|---|---|---|---|
07 |
Root certificate for all SpringCore-related CAs | OU=SpringCore,CN=SpringCore Root CA |
self |
08 |
Certificate of MQTT server mqtt.springcard.com |
OU=SpringCore Cloud,CN=mqtt.springcard.com |
OU=SpringCore,CN=SpringCore Cloud CA |
09 |
Amazon’s root certificate (for demos using AWS) | C=US,O=Amazon,CN=Amazon Root CA 1 |
self |
They still can be changed even after the device has been issued.
Customer keys and certificates
Please contact SpringCard for advanced support and/or consultancy service should you plan to use SpringCore devices with your own PKI.
SpringCard technical experts are able to help you design and validate your system’s architecture with a focus on the security scheme. Your own certificates could be inserted by SpringCard in factory to ease provisioning and deployment.
Using the certificates for TLS operation
See use cases in the Appendixes and refer to tech.springcard.com for step-by-step examples.