Import CA on EXS62 module | Thales IoT Developer Community
September 29, 2022 - 12:00pm, 2382 views
Hello everyone,
I am trying to enable the secure MQTT connection with TLS on EXS62-W module. To do that, I need to import CA certificate into the module's NVRAM. Following the documentation I saw that this can be done with the AT command AT^SBNW=is_cert,1 or using cmd_ipcertmgr.jar tool.
If I use this command I get no answer, so I want to try with java tool, but I don't know where to find this tool and the following files for my module.
Can someone tell me where to find this tool or what is the correct use of the AT^SBNW=is_cert,1 command to import CA.
Hello,
More information and the tools you can find in the AN62 document (Transport Layer Security for Client TCP/IP Services). The necessary tools are also embedded in this document. AT^SBNW=is_cert,1 can be used to upload the binary file (secure command) which needs to be first prepared with the provided tools or with any other tool. AN62 also describes how to build the security commands without the provided tools. cmd_IpCertMgr.jar can either be used to prepare the command or to prepare and upload it to the module.
Example for the second case (installation of the private cert):
java -jar cmd_IpCertMgr.jar -serialPort COM52 -serialSpd 115200 -cmd writecert -certfile client_certificate.der -keyfile private_key.der -certIndex 0 -sigType NONE
Best regards,
Bartłomiej
How do you open it? The file should be embedded in the document. I use Acrobat Reader, on the left side I find the paper clip icon - it opens the document attachments. You should see there exs62-w_exs82-w_tls_tools.7z file. Please check.
Thanks, I found it.
Now I am trying to connect the EXS62-W module to my mosquitto broker with MQTTS. I want to import only the Certificate Authority (CA) into the module. I have seen some mandatory arguments like keystore or keypass which I do not have. Is there any way to import only CA into the module and have MQTTS established?
Hello,
If your MQTT broked does not require the client certificate you can connect without it. If you want to check the server certificate you need to install the root CA on the module. It can be done in the similar way as the client certificate. Just you don't provide the key file and change the index to greater than 0 (index 0 is for the client certificate and other indices for server certs). The module also has some preconfigured root CA certificates which you can use - move to is_cert storage - see AN62 for more details.
BR,
Bartłomiej
Okay but when I don't provide the key file, I get Mandatory parameter missing. What am I doing wrong? Here is a screen of my case.
Or when I try to upload it this way I get Illegal parameter.
Sorry for spamming, but now I also see that I may be using the wrong tool. In the AN62 document that I was looking (https://ptelectronics.ru/wp-content/uploads/organizatsiya_bezopasnogo_ss...) are attached files "wm01_tls_tools.7z" and "wm02_tls_tools.7z". Is the tool in these files suitable for my EXS62-W module or should I use another AN62 document with "exs62-w_exs82-w_tls_tools.7z" as you said before?
IMEI and alias is not necessary here. But there need to be sigType. So, the second attempt seems correct. Please try to remove mode - it is not necessary in this case.
I still get the same response - "Illegal parameter" - when I remove the mode. An illegal parameter is referenced to the sigType, but then you say it needs to be there. What else could be wrong, perhaps the version of the cmd_ipcertmgr.jar tool?
Pages