Debug Authentication Certificate Validity Period for STM32H7S3

Eliasvan · ‎2025-08-27

Dear,

I am writing to inquire about the inclusion of a validity period in the debug authentication certificates used with the STM32H7S3 microcontroller.

My project requires that the debug access certificates I provision have a limited, defined lifespan to align with security policies. I am currently using the latest versions of STM32TrustedPackageCreator (v2.20.0) and PSA_ADAC (v0.2.0) to generate these certificates.

I have reviewed the documentation for both tools and have not found a user-configurable option to specify a notAfter (as is available for X.509) or expiration date for the generated ADAC certificates.

Could someone please clarify the following:

Is it possible to generate ARM ADAC certificates with a defined validity period using any publicly available tools?
If not, is there a different process, tool, or service that would allow me to create such certificates?
Are the certificates generated by the public tools created with a fixed, pre-defined validity period?

Thank you very much!

Jocelyn RICARD · ‎2025-08-27

Hello @Eliasvan ,

There is currently no way to manage the validity period of the certificate.

The point here is that this validity date would need to be checked on the STM32H7S target.

As there is no way to ensure a trusted date on the microcontroller, this would be useless.

2 remarks

1- The certificate alone is not enough to reopen a device. You need access to the associated private key.

2- You can limit the certificate usage to only one target by including its UID.

Best regards

Jocelyn