Why not store rootCA in DCT?

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
AxLi_1746341
Level 7
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA

Hi,

All the example code stores the rootCA either in the read-only resource file or hard-coded in the source code.

So the user cannot update (or add more) rootCA.

Is there any reason not store rootCA in DCT?

0 Likes
6 Replies
AxLi_1746341
Level 7
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA

Hi Cypress team,

The rootCA can expire.

The users need a method to update rootCA.

What's your suggestion?

0 Likes

checkout demo.aws_iot or snip.secure_mqtt examples for user loading the certs

0 Likes

jmartin wrote:

checkout demo.aws_iot or snip.secure_mqtt examples for user loading the certs

You misunderstand my question.

I know certificate and key can be stored in DCT.

My question is about rootCA.

0 Likes

I guess Broadcom & Cypress do so since rootCA expiration is typically much longer than product life cycle and is usually the same among all products of a model. Thus they don't expect rootCA is to be updated.


I guess you can try adding new item for rootCA in DCT, either security or simply app region, and generate from resource just as the way KEY & CERT do. Or maybe more aggressively try storing  ROOTCA/KEY/CERT in DCT all as parsed binary structures, this should require smaller space compared to PEM format PKI files, and skip parsing procedure when using them.

xavier@candyhouse wrote:

I guess Broadcom & Cypress do so since rootCA expiration is typically much longer than product life cycle and is usually the same among all products of a model. Thus they don't expect rootCA is to be updated.

For expiration time, that is *usually* much longer than product life cycle, but is not *always* that case.

(So what if some of your customers indeed hit rootCA expiration issue in near future?)

Actually I indeed has the request from customers asking to update rootCA for their server.

That is why I asking the question.

In additional, if this is a common case then it's good to improve it in SDK  so everybody get benefit.

Unfortunately, I don't see any cypress developers involved in this discussion.

PS. I'm not sure if there is size limitation in user DCT.  rootCA may take 2KB size.

0 Likes

There's plenty of space in DCT for a 2 KB rootCA on my product.

(There are 2 banks of 16KB DCT in internal flash as defined in WICED/platform/MCU/STM32F4xx/GCC/STM32F411/memory_with_bootloader.ld)

"hexdump -C DCT.bin" may also help