This repository was archived by the owner on Jun 27, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 19
Keys and Certificates
Artem Yushev edited this page Jul 6, 2020
·
4 revisions
Each OPTIGA™ Trust X security chip is populated with individual X.509 certificate with a corresponding private key. The certificate has a following form:
Example Certificate in DER format without pre-pended identity tags stored on chip. This 9 bytes play an important role for the on-chip DTLS feature.
30 82 01 C0 30 82 01 67 A0 03 02 01 02 02 04 01 02 03 0A 30
0A 06 08 2A 86 48 CE 3D 04 03 02 30 77 31 0B 30 09 06 03 55
04 06 13 02 44 45 31 21 30 1F 06 03 55 04 0A 0C 18 49 6E 66
69 6E 65 6F 6E 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73 20 41
47 31 13 30 11 06 03 55 04 0B 0C 0A 4F 50 54 49 47 41 28 54
4D 29 31 30 30 2E 06 03 55 04 03 0C 27 49 6E 66 69 6E 65 6F
6E 20 4F 50 54 49 47 41 28 54 4D 29 20 54 72 75 73 74 20 58
20 54 65 73 74 20 43 41 20 30 30 30 30 1E 17 0D 31 36 30 35
31 30 32 30 31 39 30 31 5A 17 0D 33 36 30 35 30 35 32 30 31
39 30 31 5A 30 00 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06
08 2A 86 48 CE 3D 03 01 07 03 42 00 04 A0 28 0E 73 9F 32 7A
8E 81 3B 5A 15 45 56 64 97 43 DC 22 A6 03 63 84 6D 08 72 DD
BD 38 8B 7C C2 AA 62 25 13 0F 0F 0F D5 73 D6 5B FE 07 66 77
0F A3 A9 C6 31 5D 80 D3 76 14 32 15 67 6B 6C 18 61 A3 58 30
56 30 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 0E 06 03 55
1D 0F 01 01 FF 04 04 03 02 07 80 30 15 06 03 55 1D 20 04 0E
30 0C 30 0A 06 08 2A 82 14 00 44 01 14 01 30 1F 06 03 55 1D
23 04 18 30 16 80 14 42 E3 5D 56 E5 6C 8E 8D 02 71 8C 9E F2
33 C9 47 3B 82 53 6C 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03
47 00 30 44 02 20 1D 9C 64 5D ED AF C8 3B 16 58 A6 F1 D1 81
C4 52 52 CD 43 C0 2A 4D 70 A7 B1 17 64 24 84 0F 39 95 02 20
43 12 B7 B0 1D 61 28 2B 2F 6F 63 40 ED B0 B0 D0 81 31 50 6B
A4 72 F3 A9 09 7C 2D E3 28 FA 6D 99
The same certificate in PEM format
-----BEGIN CERTIFICATE-----
MIIBwDCCAWegAwIBAgIEAQIDCjAKBggqhkjOPQQDAjB3MQswCQYDVQQGEwJERTEh
MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApPUFRJ
R0EoVE0pMTAwLgYDVQQDDCdJbmZpbmVvbiBPUFRJR0EoVE0pIFRydXN0IFggVGVz
dCBDQSAwMDAwHhcNMTYwNTEwMjAxOTAxWhcNMzYwNTA1MjAxOTAxWjAAMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEoCgOc58yeo6BO1oVRVZkl0PcIqYDY4RtCHLd
vTiLfMKqYiUTDw8P1XPWW/4HZncPo6nGMV2A03YUMhVna2wYYaNYMFYwDAYDVR0T
AQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFQYDVR0gBA4wDDAKBggqghQARAEUATAf
BgNVHSMEGDAWgBRC411W5WyOjQJxjJ7yM8lHO4JTbDAKBggqhkjOPQQDAgNHADBE
AiAdnGRd7a/IOxZYpvHRgcRSUs1DwCpNcKexF2QkhA85lQIgQxK3sB1hKCsvb2NA
7bCw0IExUGukcvOpCXwt4yj6bZk=
-----END CERTIFICATE-----
The same certificate parsed by openSSL
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16909066 (0x102030a)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=DE, O=Infineon Technologies AG, OU=OPTIGA(TM), CN=Infineon OPTIGA(TM) Trust X Test CA 000
Validity
Not Before: May 10 20:19:01 2016 GMT
Not After : May 5 20:19:01 2036 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a0:28:0e:73:9f:32:7a:8e:81:3b:5a:15:45:56:
64:97:43:dc:22:a6:03:63:84:6d:08:72:dd:bd:38:
8b:7c:c2:aa:62:25:13:0f:0f:0f:d5:73:d6:5b:fe:
07:66:77:0f:a3:a9:c6:31:5d:80:d3:76:14:32:15:
67:6b:6c:18:61
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Certificate Policies:
Policy: 1.2.276.0.68.1.20.1
X509v3 Authority Key Identifier:
keyid:42:E3:5D:56:E5:6C:8E:8D:02:71:8C:9E:F2:33:C9:47:3B:82:53:6C
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:1d:9c:64:5d:ed:af:c8:3b:16:58:a6:f1:d1:81:
c4:52:52:cd:43:c0:2a:4d:70:a7:b1:17:64:24:84:0f:39:95:
02:20:43:12:b7:b0:1d:61:28:2b:2f:6f:63:40:ed:b0:b0:d0:
81:31:50:6b:a4:72:f3:a9:09:7c:2d:e3:28:fa:6d:99
Both the certificate and the private key are protected and can't be overwritten. A user can read the certificate out of the chip.
More information about the PKI architecture can be found in the official documentation