Debug Authentication Certificate Validity Period for STM32H7S3

Eliasvan · ‎2025-08-27

Dear,

I am writing to inquire about the inclusion of a validity period in the debug authentication certificates used with the STM32H7S3 microcontroller.

My project requires that the debug access certificates I provision have a limited, defined lifespan to align with security policies. I am currently using the latest versions of STM32TrustedPackageCreator (v2.20.0) and PSA_ADAC (v0.2.0) to generate these certificates.

I have reviewed the documentation for both tools and have not found a user-configurable option to specify a notAfter (as is available for X.509) or expiration date for the generated ADAC certificates.

Could someone please clarify the following:

Is it possible to generate ARM ADAC certificates with a defined validity period using any publicly available tools?
If not, is there a different process, tool, or service that would allow me to create such certificates?
Are the certificates generated by the public tools created with a fixed, pre-defined validity period?

Thank you very much!

Jocelyn RICARD · ‎2025-08-27

Hello @Eliasvan ,

There is currently no way to manage the validity period of the certificate.

The point here is that this validity date would need to be checked on the STM32H7S target.

As there is no way to ensure a trusted date on the microcontroller, this would be useless.

2 remarks

1- The certificate alone is not enough to reopen a device. You need access to the associated private key.

2- You can limit the certificate usage to only one target by including its UID.

Best regards

Jocelyn

View solution in original post

Jocelyn RICARD · ‎2025-08-27

Hello @Eliasvan ,

There is currently no way to manage the validity period of the certificate.

The point here is that this validity date would need to be checked on the STM32H7S target.

As there is no way to ensure a trusted date on the microcontroller, this would be useless.

2 remarks

1- The certificate alone is not enough to reopen a device. You need access to the associated private key.

2- You can limit the certificate usage to only one target by including its UID.

Best regards

Jocelyn

Eliasvan · ‎2025-08-27

Thank you very much Jocelyn!

Best regards,
Elias

Eliasvan · ‎2025-09-04

What is the ST-recommended way to perform your 2nd remark "You can limit the certificate usage to only one target by including its UID"?

Is the recommended way to set the Root.soc_id.Hidden property from 1 to 0 in the "STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/TPC_CertifGen_Data_Base/STM32_CertifGen_DB_0x485.xml" file before launching "STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32TrustedPackageCreator" and setting the soc_id field in the certificate creation GUI to the little endian 96-bit unique device ID as found at 0x08FF_F800?

Jocelyn RICARD · ‎2025-09-04

Hello @Eliasvan ,

Yes this is basically what you need to do.

There is this wiki page related to STM32H5 that should work the same way with STM32H7S

Best regards

Jocelyn

Eliasvan · ‎2025-09-04

Thanks!

And for a command-line version I suppose the ST-provided "PSA_ADAC" utility with subcommand "sign" can be used with the "ConfigGenCertifDA.yml" as input (followed by subcommand "chain" to create chains). :)

Jocelyn RICARD · ‎2025-09-10

Yes, this is the tool used by TPC.

You can get the yml file used in in last command here <user>\STMicroelectronics\STM32CubeProgrammer\ConfigGenCertifDA.yml