STSAFE- A110 mqtt tls authentication

Anzal3c3 · ‎2024-08-23

Hello, I am confused in finalizing a secure chip for my iot gateway(linux). I read all the documents for ST SAFE-A110. My gateway has an mqtt broker which is bridged to another broker in cloud. In order to Implement TLS for mqtt i need to provide key and certificate path in the mosquitto broker configuration file. Which is impossible since key is stored in the chip and is not user readable.

question:

1. How to implement tls over mqtt using STSAFE-A110?

I have read that there is a challenge given to the chip to authorise a connection from cloud is it generically said in the case of tls or any additional program needs to be run in cloud to acheive this or this will only work in case of clouds like Azure or AWS ? is it possible to do secure authentication using oem cloud??

i am new to this security kind of application any help would be much appreciated.

Benjamin BARATTE · ‎2024-08-23

Hi @Anzal3c3,

Actually Mosquitto is supporting OpenSSL and Engine as well, therefore you can have a look at the STSAFE-A OpenSSL package (https://www.st.com/en/embedded-software/stsw-stsa110-ssl.html).

With the STSAFE-A OpenSSL Engine, you will be able to configure the mosquitto client with the tls-engine parameter and the tls_keyform set to "engine" and this should automatically use the STSAFE-A to authenticate within the TLS session.

Regarding the interaction with OEM Cloud, what is important is that has a certificate for the STSAFE-A which is recognized by the OEM Cloud. This means that you need to configuration the CA (Certificate Authority) certificate of your STSAFE-A to your OEM Cloud.

With such configuration, it will be transparent as the certificate verification is built-in the TLS handshake.

Regarding the configuration of the STSAFE-A, you have by default a X509 certificate in the STSAFE-A which is signed by a generic ST CA, for testing you can use this CA to your OEM Cloud but avoid to use this generic ST CA in production.

For the production, you can check with your local support to get a dedicated STSAFE-A profile or you can regenerate a certificate for the STSAFE-A using your own CA (you will find example to do so in the STSAFE-A OpenSSL Engine package).

Best Regards,

Benjamin

View solution in original post

Benjamin BARATTE · ‎2024-08-23

Hi @Anzal3c3,

Actually Mosquitto is supporting OpenSSL and Engine as well, therefore you can have a look at the STSAFE-A OpenSSL package (https://www.st.com/en/embedded-software/stsw-stsa110-ssl.html).

With the STSAFE-A OpenSSL Engine, you will be able to configure the mosquitto client with the tls-engine parameter and the tls_keyform set to "engine" and this should automatically use the STSAFE-A to authenticate within the TLS session.

Regarding the interaction with OEM Cloud, what is important is that has a certificate for the STSAFE-A which is recognized by the OEM Cloud. This means that you need to configuration the CA (Certificate Authority) certificate of your STSAFE-A to your OEM Cloud.

With such configuration, it will be transparent as the certificate verification is built-in the TLS handshake.

Regarding the configuration of the STSAFE-A, you have by default a X509 certificate in the STSAFE-A which is signed by a generic ST CA, for testing you can use this CA to your OEM Cloud but avoid to use this generic ST CA in production.

For the production, you can check with your local support to get a dedicated STSAFE-A profile or you can regenerate a certificate for the STSAFE-A using your own CA (you will find example to do so in the STSAFE-A OpenSSL Engine package).

Best Regards,

Benjamin

Anzal3c3 · ‎2024-08-26

Thank You @Benjamin BARATTE one more question to ask is How do i implement device authentication do ST provide any SDKs for that or i have to implement any mechanism(application) to authenticate devices on Cloud side?

Benjamin BARATTE · ‎2024-08-27

Hi @Anzal3c3,

The advantage of the TLS integration is that on server side you need to enable the client authenticate and you will have the device authentication in your connection.

If you use your own Cloud, you will need to configure your server with the device authentication and the CA certificate that has signed your STSAFE-A device certificate.

On Server side, we use AWS or Azure which offer the Bring Your Own CA mechanism which is compatible with STSAFE-A solution for demonstration purpose.

Best Regards,

Benjamin

Anzal3c3 · ‎2024-08-27

That means all i need is to have My own CA OR do i need to implement any mechanism to authenticate on top of having a CA . Sorry for double checking i am pretty much new to the concept

Benjamin BARATTE · ‎2024-08-27

Hi @Anzal3c3,

The authentication will be done during the TLS handshake, therefore, only devices with correct certificate will be able to open a session to your Cloud application.

Therefore, only the CA certificate that sign your STSAFE-A certificate is needed.

As mentioned previously, the evaluation sample (STSAFA110xxSPL02/3) are all signed with default ST prod CA.

You can contact your local support to request custom STSAFE-A110 profile with a dedicate ST CA for your application.

In the meantime, you can generate a new certificate for your PoC.

Best Regards,

Benjamin

Anzal3c3 · ‎2024-08-27

Thank you @Benjamin BARATTE you have been a life saver