Pki.StoreX509RootCert
This command has been deprecated. Do not use it in new code as we may remove it in the future.
Every security level that should be usable with the PKI must be provided with a root certificate. The certificate chain provided in the Pki.PfsAuthHostCert command will be verified against this root certificate.
The root certificates must comply with the following limitations:
- Certificates have to be X.509 v3 certificates.
- Only ECC P-256 and SHA256 are allowed as signing algorithms.
- The length of the tags containing the Issuer Unique Identifier and the Subject Unique Identifier must not exceed 128 Bytes.
- The only allowed extension is basicConstraints (indicating the certificate is a CA certificate)
- The validity period always has to be from "Jan 1 00:00:00 2000 GMT" to "Jan 19 02:14:07 2038 GMT".
A sample certificate matching all these limitations is the following:
30 82 01 9D 30 82 01 43 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 41 31 19 30 17 06 03 55 04 03 0C 10 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 31 11 30 0F 06 03 55 04 0A 0C 08 45 71 75 69 74 72 61 63 31 11 30 0F 06 03 55 04 07 0C 08 57 61 74 65 72 6C 6F 6F 30 1E 17 0D 30 30 30 31 30 31 30 30 30 30 30 30 5A 17 0D 33 38 30 31 31 39 30 32 31 34 30 37 5A 30 41 31 19 30 17 06 03 55 04 03 0C 10 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 31 11 30 0F 06 03 55 04 0A 0C 08 45 71 75 69 74 72 61 63 31 11 30 0F 06 03 55 04 07 0C 08 57 61 74 65 72 6C 6F 6F 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42 00 04 B0 13 B7 1F A6 61 47 8E 8D 2F FC C0 36 17 C0 51 5D 2A 39 C5 67 15 1A E3 85 2A 3B 9C 2E 93 FA 41 0A B5 F3 66 62 6A F8 04 D7 0E D1 DB 7A 2D 36 26 0A A5 77 D2 9C D4 65 24 70 DF 9A 74 40 C2 A7 B1 A3 2C 30 2A 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 17 06 09 2B 06 01 04 01 82 DE 55 01 01 01 FF 04 07 03 05 00 08 00 10 80 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03 48 00 30 45 02 21 00 BB 42 BB 32 8C D5 68 39 E9 40 28 10 5F 63 E1 52 9A 63 06 BF B2 69 03 0A F8 9D A5 56 95 CF 0F B2 02 20 35 D6 FF 5C 9A 42 D9 85 5E F3 16 DA 7A 53 19 F7 74 81 A4 54 B3 D4 C9 74 26 78 D2 1D 11 52 2D 2A
This sample certificate can be decoded using the following online tool: https://redkestrel.co.uk/tools/decoder/
Furthermore, the access conditions mask of the security llevel running the Pki.StoreX509RootCert command has to allow setting the corresponding key (SEC_SETKEY1, SEC_SETKEY2 or SEC_SETKEY3 bit of the access condition mask must be set).
This command needs a long timeout, since the ECC operations may take up to 15 seconds.
Properties
- Command code: 0x0912
- Command timeout: 16000 ms
- Possible status codes: General status codes, Pki.ErrCert
Parameters (request frame)
| Name | Type/Size | Description |
|---|---|---|
| SecLevel | Integer (8 bits) | Security level (1-3), for which the root certificate should be stored. |
| Length of Cert | Integer (16 bits) |
Length of Cert in bytes |
| Cert | Raw data | X.509 root certificate encoded in ASN.1 DER format. |
Returned values (response frame)
None