- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
All the example code stores the rootCA either in the read-only resource file or hard-coded in the source code.
So the user cannot update (or add more) rootCA.
Is there any reason not store rootCA in DCT?
- Labels:
-
SDK 3.x
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cypress team,
The rootCA can expire.
The users need a method to update rootCA.
What's your suggestion?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
checkout demo.aws_iot or snip.secure_mqtt examples for user loading the certs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jmartin wrote:
checkout demo.aws_iot or snip.secure_mqtt examples for user loading the certs
You misunderstand my question.
I know certificate and key can be stored in DCT.
My question is about rootCA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess Broadcom & Cypress do so since rootCA expiration is typically much longer than product life cycle and is usually the same among all products of a model. Thus they don't expect rootCA is to be updated.
I guess you can try adding new item for rootCA in DCT, either security or simply app region, and generate from resource just as the way KEY & CERT do. Or maybe more aggressively try storing ROOTCA/KEY/CERT in DCT all as parsed binary structures, this should require smaller space compared to PEM format PKI files, and skip parsing procedure when using them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xavier@candyhouse wrote:
I guess Broadcom & Cypress do so since rootCA expiration is typically much longer than product life cycle and is usually the same among all products of a model. Thus they don't expect rootCA is to be updated.
For expiration time, that is *usually* much longer than product life cycle, but is not *always* that case.
(So what if some of your customers indeed hit rootCA expiration issue in near future?)
Actually I indeed has the request from customers asking to update rootCA for their server.
That is why I asking the question.
In additional, if this is a common case then it's good to improve it in SDK so everybody get benefit.
Unfortunately, I don't see any cypress developers involved in this discussion.
PS. I'm not sure if there is size limitation in user DCT. rootCA may take 2KB size.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's plenty of space in DCT for a 2 KB rootCA on my product.
(There are 2 banks of 16KB DCT in internal flash as defined in WICED/platform/MCU/STM32F4xx/GCC/STM32F411/memory_with_bootloader.ld)
"hexdump -C DCT.bin" may also help