STSAFE Provisioning

macar · ‎2026-02-16

Hi everyone,
I’m using the B‑U585I‑IOT02A development board for an IoT project. The onboard STSAFE‑A110 secure element comes pre‑provisioned with a default key and certificate, but for my application I need to:

Provision my own keypair and certificate, and
Optionally add additional keys or certificates into unused STSAFE slots (for testing or multi‑cloud use).

I couldn’t find a clear step‑by‑step guide for:

Generating and injecting a custom keypair
Uploading a custom certificate chain
Adding extra keys/certificates to new STSAFE slots
Whether CubeProgrammer or Secure Manager scripts support provisioning user keys

Is there any official documentation, example project, or provisioning tool that explains how to do this on the B‑U585I‑IOT02A?

Any guidance or links would be greatly appreciated.
Thank you!

Benjamin BARATTE · ‎2026-03-24

Hi @macar,

Generally with Secure Element, this is complex to inject a private key, therefore the Secure Element offer a key generation mechanism which is the case for STSAFE-A110.

On the evaluation part the STSAFE-A110, you have pre load private key on slot 0 which can't be renewed.

So, you can only generate a new key pair on the private slot 1.

What you can also do is to generate PKCS#10 CSR with the private key 0 or a newly generated private key on slot 1 to enroll to your PKI to get your own certificates.

Then you can use the STSAFE-A110 memory region to store your own certificate.

As the STSAFE-A is a companion chip a MCU, this is out of the scope of the STM32 programming tools. You need to use the STSAFE-A Middleware in order to manage the STSAFE-A for key generation and memory region read/update.

If you need more private key slot, I would recommend to look at the STSAFE-A120.

You can also find some code example that can help to generate CSR with MbedTLS in this thread

Best Regards,

Benjamin