6 Replies Latest reply on Nov 17, 2016 9:56 PM by JeGu_2199941

    Why not store rootCA in DCT?

    AxLi_1746341

      Hi,

      All the example code stores the rootCA either in the read-only resource file or hard-coded in the source code.

      So the user cannot update (or add more) rootCA.

      Is there any reason not store rootCA in DCT?

        • 1. Re: Why not store rootCA in DCT?
          AxLi_1746341

          Hi Cypress team,

          The rootCA can expire.

          The users need a method to update rootCA.

          What's your suggestion?

          • 2. Re: Why not store rootCA in DCT?
            joMa_1809706

            checkout demo.aws_iot or snip.secure_mqtt examples for user loading the certs

            • 3. Re: Why not store rootCA in DCT?
              AxLi_1746341

              jmartin wrote:

               

              checkout demo.aws_iot or snip.secure_mqtt examples for user loading the certs

              You misunderstand my question.

              I know certificate and key can be stored in DCT.

              My question is about rootCA.

              • 4. Re: Why not store rootCA in DCT?
                JeGu_2199941

                I guess Broadcom & Cypress do so since rootCA expiration is typically much longer than product life cycle and is usually the same among all products of a model. Thus they don't expect rootCA is to be updated.


                I guess you can try adding new item for rootCA in DCT, either security or simply app region, and generate from resource just as the way KEY & CERT do. Or maybe more aggressively try storing  ROOTCA/KEY/CERT in DCT all as parsed binary structures, this should require smaller space compared to PEM format PKI files, and skip parsing procedure when using them.

                1 of 1 people found this helpful
                • 5. Re: Why not store rootCA in DCT?
                  AxLi_1746341

                  xavier@candyhouse wrote:

                   

                  I guess Broadcom & Cypress do so since rootCA expiration is typically much longer than product life cycle and is usually the same among all products of a model. Thus they don't expect rootCA is to be updated.

                   

                  For expiration time, that is *usually* much longer than product life cycle, but is not *always* that case.

                  (So what if some of your customers indeed hit rootCA expiration issue in near future?)

                  Actually I indeed has the request from customers asking to update rootCA for their server.

                  That is why I asking the question.

                   

                  In additional, if this is a common case then it's good to improve it in SDK  so everybody get benefit.

                  Unfortunately, I don't see any cypress developers involved in this discussion.

                   

                  PS. I'm not sure if there is size limitation in user DCT.  rootCA may take 2KB size.

                  • 6. Re: Why not store rootCA in DCT?
                    JeGu_2199941

                    There's plenty of space in DCT for a 2 KB rootCA on my product.

                    (There are 2 banks of 16KB DCT in internal flash as defined in WICED/platform/MCU/STM32F4xx/GCC/STM32F411/memory_with_bootloader.ld)

                    "hexdump -C DCT.bin" may also help