Pki.StoreX509Cert
After signing a CSR using the Pki.GetX509Csr command, run this command to store the resulting in the reader's certificate store. The certificate store provides up to 3 slots (for security level 1-3). This means up to 3 different certificate authorities can store their certificates in a reader.
The certificates must comply with the following limitations:
- Only ECC P-256 and SHA256 are allowed as signing algorithms.
- The length of the tag containing the issuer distinguished name must not exceed 128 Bytes.
- No extensions are allowed.
A sample certificate matching all these limitations is the following:
30 82 01 6C 30 82 01 11 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 3C 31 23 30 21 06 03 55 04 03 0C 1A 49 6E 74 65 72 6D 65 64 69 61 74 65 20 43 41 20 66 6F 72 20 52 65 61 64 65 72 31 15 30 13 06 03 55 04 0A 0C 0C 43 75 73 74 6F 6D 65 72 20 4F 6E 65 30 1E 17 0D 30 30 30 31 30 31 30 30 30 30 30 30 5A 17 0D 33 38 30 31 31 39 30 32 31 34 30 37 5A 30 42 31 14 30 12 06 03 55 04 03 0C 0B 53 23 20 31 31 31 31 31 31 31 31 31 13 30 11 06 03 55 04 0A 0C 0A 42 61 6C 74 65 63 68 20 41 47 31 15 30 13 06 03 55 04 07 0C 0C 48 61 6C 6C 62 65 72 67 6D 6F 6F 73 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 C3 4D 0E D2 EA 8F 94 88 93 E0 16 75 06 78 67 BB 96 14 5A A9 24 F8 95 02 4F 47 87 C7 1C B3 1F D5 83 CD 8C A3 FB B2 57 51 38 BF 81 AA 9C 26 DC CA 71 A6 FE 83 1B 2C 88 60 86 69 D3 53 93 08 39 D7 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 49 00 30 46 02 21 00 90 6F 97 EF C0 95 1C 9C FC 60 4C 1F F7 12 00 F4 C8 2C EA FE 4E 9D C9 F0 BE 29 75 C6 E6 42 3C 1B 02 21 00 BB 22 42 56 13 5A B5 BF D1 19 B7 40 EA 44 30 2B 14 3B 86 4E 0C 48 24 96 8F FB 49 69 24 71 CA DF
This sample certificate can be decoded using the following online tool: https://redkestrel.co.uk/products/decoder/
Furthermore, the access conditions mask of the security level running the Pki.StoreX509Cert command has to allow setting the corresponding key (SEC_SETKEY1, SEC_SETKEY2 or SEC_SETKEY3 bit of the access condition mask must be set).
This command needs a long timeout, since the ECC operations may take up to 15 seconds.
Properties
- Command code: 0x0911
- Command timeout: 16000 ms
- Possible status codes: General status codes, Pki.ErrCert
Parameters (request frame)
| Name | Type/Size | Description |
|---|---|---|
| SecLevel | Integer (8 bits) | Security level (1-3), which you want to provide with a (new) reader certificate. |
| Length of Cert | Integer (16 bits) |
Length of Cert in bytes |
| Cert | Raw data | X.509 certificate created by signing a CSR returned by Pki.GetX509Csr, encoded in ASN.1 DER format. |
Returned values (response frame)
None