This super short tutorial applies to Telit Cinterion modules like EXSx2, PLSx3, ELS62.
Preinstalled certificates
Each module also has some certificates preinstalled, including one client certificate and a bunch of root CA certificates. All these certs can be copied to the internet services storage and used for any IP service available with AT commands.
Reading the certificates information: AT^SBNR="is_cert"
The client certificate has always index 0.
Copying the preconfigured certificates for IP services to "is_cert" storage can be done selectively with command:
AT^SSECUA="CertStore/TLS/PreconfigureCert",,<index>
or the "is_cert" storage can be initialized with all the preinstalled certificates in one step with:
AT^SSECUA="CertStore/TLS/PreconfigureCerts"
but this will only work if Internet Service certificate store is empty (and the client certificate is preconfigured at the factory (at index 0) in "preconfig_cert" storage, which should always be true for production modules).
To list the preconfigured storage use this command:
AT^SBNR="preconfig_cert"
Certificates installation
Any custom client or server certificate can be installed.
The installation of certificates for TLS secure connections comes down to preparation of the special binary file - the secure command, and sending it to the module with an AT command (AT^SBNW). The secure command contains the certificate and some additional data.
The necessary information can be found in 'Transport_Layer_Security_Application_Note' document available in Download Zone (https://dz.telit.com). The document can also contain the embedded tools. If the tools are not present, there should be a document describing a process of requesting them.
The simplest approach is to use the cmd_IpCertMgr.jar java tool (included in the tools package).
The usage example (server root CA certificate):
java -jar cmd_IpCertMgr.jar -cmd writecert -certfile starfield_root_ca_g2.der -certIndex 30 -sigType NONE -file starfield_root_ca_g2.bin
Client certificate example:
java -jar cmd_IpCertMgr.jar -cmd writecert -certfile cert.crt -keyfile cert.key -certIndex 0 -sigType NONE -file clientCert.bin
The generated file can be uploaded to the module with AT^SBNW=is_cert,1 command as binary.
If you see SECURE CMD END OK, everything is fine.
The list of the installed certificates can be read with AT^SBNR="is_cert" command.
The secure command can also be generated and uploaded in one step.
Example:
c:\Data\exs62-w_exs82-w_tls_tools\Tools\bin\win-x86>java -jar cmd_IpCertMgr.jar -serialPort COM22 -serialSpd 115200 -cmd writecert -certfile starfield_root_ca_g2.cer -certIndex 30 -sigType NONE
Java version: 32-bit
1.7.0_25
Stable Library
=========================================
Native lib Version = RXTX-2.1-7
Java lib Version = RXTX-2.1-7
CTS_RTS flow control enabled.
AT:AT+CGSN
Response:351234567890123
IMEI:351234567890123
signature skipped
nullAT
OK
AT^SBNW=is_cert,1
CONNECT
SECURE CMD READY: SEND COMMAND ...
SECURE CMD END OK
OK
Implementing certificates installation
The command for certificate installation can also be constructed in the customer application code. All that is needed for the command preparation is described in "Transport_Layer_Security_Application_Note" document in chapter "Appendix A: Secure Commands".
First let’s look again at how the secure command is created with cmd_IpCertMgr.jar tool:
cmd_IpCertMgr.jar -cmd writecert -certfile cert.crt -keyfile cert.key -certIndex 0 -sigType NONE -file .\LoadClientCert_insecure.bin
.bin file produced by the above command could be a good example of the command we need. It is a kind of frame that includes all the data passed as parameters to cmd_IpCertMgr.jar.
"General SBNW Secure Command Structure" chapter includes the frame structure as below:
| Total length | Command | Params number | Param unit | … | Signature unit |
|---|---|---|---|---|---|
| UINT16 | UINT16 | UINT16 |
Each "param unit" structure is described in details in "Param Unit Structure" chapter:
| Total length | Param ID (Unit Type) | Param Data |
|---|---|---|
| UINT16 | UINT16 |
So, each parameter needs to be encapsulated in "Param unit" and all param units need to be added to the command.
"Signature unit" is not used here as we have -sigType NONE in our example. It would be necessary to sign the command if the module was in a secure mode.
For a command reference you can take the .bin file created by cmd_IpCertMgr.jar, open it in any hex editor and compare to the command structure described in the document.
Example - the beginning of .bin file in hex editor (please note the reverse byte order):
| HEX: | 0505 | 0100 | 0300 | 0600 | 0100 | 0000 | 7A02 | 0200 | xxx… | yyy… | 0500 | zzz… |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DEC: | 1285 | 1 | 3 | 6 | 1 | 0 | 634 | 2 | 5 |
Explanation:
-
Total length:1285 -
Command: 1 - write (-cmd writecert) -
Params number: 3 -
Param unitTotal length: 6 -
Param ID: 1 - cert index (-certIndex) -
Param data: 0 - index=0 (value of -certIndex) -
Param unitTotal length: 634 -
Param ID: 2 - cert data (-certfile) -
Param data: xxx… - client certificate (contents of certificate file) -
Param unitTotal length: yyy… - private key length -
Param ID: 5 - private key (-keyfile) -
Param data: zzz… - client private key (contents of private key file)
When the command is created, it can be sent with AT^SBNW command:
AT^SBNW=is_cert,1
CONNECT
SECURE CMD READY: SEND COMMAND ...
// here we send the command data
SECURE CMD END OK
OK