Certificate Store

Overview

SpringCore devices are able to store up to 16 X509 certificates.

X509 certificates are typically used for TLS communication, in two situations:

  1. Validate the authenticity of the remote server (or remote peer): the SpringCore device verifies that the server's certificate is valid and authorized using its list of approved certificate authorities,
  2. Act as a proof that the SpringCore device is genuine and authorized. If this case a client certificate linked to a device-specific ECC key is used (only deviced featuring an ATECC Secure Element offer this feature).

Certificate list

Certificates 10 to 15 (0A to 0F) are defined in factory and can't be modified afterwards.

  • Certificate 10 to 13 (0A to 0D) are the certificates for the corresponding ECC private keys, computed by SpringCard's CAs (one for every usage).
  • Certificates 14 and 15 (0E and 0F) are the certificate for two of the said CAs.
  • Certificate 0 to 9 (00 to 09) are freely usable by integrators and developers. They could either store a customer-defined certificate for the device, or the certificates of the servers or PKI infrastructure the device will be client of. Use SpringCoreSE (or maybe SpringCoreConfig) to do so. For convenience, certificates 7, 8 and 9 (07, 08 and 09) are populated in factory, by they could be overwritten with no impact on the device.
Certificate Out-of-factory content Remark
00 Empty User-changeable
01 Empty User-changeable
02 Empty User-changeable
03 Empty User-changeable
04 Empty User-changeable
05 Empty User-changeable
06 Empty User-changeable
07 Certificate of SpringCore Root CA User-changeable
08 Certificate of SpringCard's test MQTT server User-changeable
09 Certificate of Amazon Root CA (for AWS IoT Core MQTT demo) User-changeable
0A Certificate for ATECC key 0A signed by SpringCore Direct CA Locked
0B Certificate for ATECC key 0B signed by SpringCore Messaging CA Locked
0C Certificate for ATECC key 0C signed by SpringCore Server CA Locked
0D Certificate for ATECC key 0D signed by SpringCore Client CA Locked
0E Certificate of SpringCore Server CA Locked
0F Certificate of SpringCore Client CA Locked

SpringCore PKI hierarchy

The subject of every certificates actually begins with C=FR,ST=Ile-de-France,L=Palaiseau,O=SpringCard. For the ease of reading, only the OU= and CN= parts are specified in the following paragraphs.

Certificates for the SpringCore devices and the related cloud-based services are structured as follow:

  • The subject of the Root CA is OU=SpringCore,CN=SpringCore Root CA; the self-signed certificate is available here: SpringCard-SpringCore-Root.crt. It is stored in the devices at index 07.
  • The Direct intermediate CA signs the device's certificate used for remote Direct communication. Its subject is OU=SpringCore,CN=SpringCore Direct CA and its certificate is available here: SpringCard-SpringCore-Direct.crt.
  • The Messaging intermediate CA signs the device's certificate used for secure messaging. Its subject is OU=SpringCore,CN=SpringCore Messaging CA and its certificate is available here: SpringCard-SpringCore-Messaging.crt.
  • The Server intermediate CA signs the device's certificate used for operation as TLS server. Its subject is OU=SpringCore,CN=SpringCore Server CA and its certificate is available here: SpringCard-SpringCore-Server.crt. It is stored in the devices at index 0E.
  • The Client intermediate CA signs the device's certificate used for operation as TLS client. Its subject is OU=SpringCore,CN=SpringCore Client CA and its certificate is available here: SpringCard-SpringCore-Client.crt. It is stored in the devices at index 0F.
  • The Cloud intermediate CA signs the certificates of the cloud-based services operating as TLS server. Its subject is OU=SpringCore,CN=SpringCore Cloud CA and its certificate is available here: SpringCard-SpringCore-Cloud.crt.

Keys and certificates loaded in factory

Device's keys and their certificates

ECC private keys are generated in factory; they are associated to certificates 10 to 13 (0A to 0D). None of this keys and certificates can not be changed after the device has been issued.

They are intended for the following usages:

Key / Cert Typical usage Subject of the certificate Issuer
0A Securing the Direct protocol OU=SpringCore Direct,CN=SerialNumber OU=SpringCore,CN=SpringCore Direct CA
0B Secure Messaging OU=SpringCore Messaging,CN=SerialNumber OU=SpringCore,CN=SpringCore Messaging CA
0C TLS communication when running as a server OU=SpringCore Server,CN=SerialNumber OU=SpringCore,CN=SpringCore Server CA (certificate in slot 0E)
0D TLS communication when running as a client OU=SpringCore Client,CN=SerialNumber OU=SpringCore,CN=SpringCore Client CA (certificate in slot 0F)

Certificates of the CAs used by device's certificates

Certificates 14 and 15 (0E and 0F) are initialized as follow:

Cert Contains Subject of the certificate Issuer
0E Certificate of the CA that has issued certificate 12 (0C) OU=SpringCore,CN=SpringCore Server CA OU=SpringCore,CN=SpringCore Root CA (certificate in slot 07)
0F Certificate of the CA that has issued certificate 13 (0D) OU=SpringCore,CN=SpringCore Client CA OU=SpringCore,CN=SpringCore Root CA (certificate in slot 07)

They can not be changed after the device has been issued.

Other certificates

Certificates 8 and 9 (08 and 0A) are initialized as follow:

Cert Contains Subject of the certificate Issuer
07 Root certificate for all SpringCore-related CAs OU=SpringCore,CN=SpringCore Root CA self
08 Certificate of MQTT server mqtt.springcard.com OU=SpringCore Cloud,CN=mqtt.springcard.com OU=SpringCore,CN=SpringCore Cloud CA
09 Amazon's root certificate (for demos using AWS) C=US,O=Amazon,CN=Amazon Root CA 1 self

They still can be changed even after the device has been issued.

Customer keys and certificates

Please contact SpringCard for advanced support and/or consultancy service should you plan to use SpringCore devices with your own PKI.

SpringCard technical experts are able to help you design and validate your system's architecture with a focus on the security scheme. Your own certificates could be inserted by SpringCard in factory to ease provisioning and deployment.

Using the certificates for TLS operation

See use cases in the Appendixes and refer to tech.springcard.com for step-by-step examples.