<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic third party adding key to HABv4 PKI in i.MX Processors</title>
    <link>https://community.nxp.com/t5/i-MX-Processors/third-party-adding-key-to-HABv4-PKI/m-p/1262037#M172590</link>
    <description>&lt;P&gt;Hello,&amp;nbsp;&lt;/P&gt;&lt;P&gt;we are considering the case where a third party, not owning any of the SRK keys already generated for the HABv4 PKI tree , should generate its own IMG keypair , asks us to sign the public part or certificate by one of the 4 SRK private keys ( we can't give them any SRK private keys ), and then we return the signed IMG public key certificate to them.&lt;/P&gt;&lt;P&gt;In the end we can't give them the SRK private key, and we can't know their IMG private key.&lt;/P&gt;&lt;P&gt;How should we sign the IMG additional key ( public, certificate ) ? Should they send us the CSR ( Certificate Signing Request )&amp;nbsp; ?&lt;/P&gt;&lt;P&gt;I can see on the add_key.sh script that actual signing is involved when generating the certificate :&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;# Generate certificate&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;openssl ca -batch -passin file:./key_pass.txt \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-md ${md} -outdir ./ \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-in ./${key_fullname}_req.pem \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-cert ${signing_crt} \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-keyfile ${signing_key} \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-extfile ../ca/v3_${ca}.cnf \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-out ../crts/${key_fullname}_crt.pem \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-days ${val_period} \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-config ../ca/openssl.cnf&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;how is best to proceed when third party doesn't want us to see their private key and we can't give them SRK private key ? Should they send us CSR request or are there any other option to directly sign X509 certificate that includes only the public key ?&lt;/P&gt;&lt;P&gt;Of course at the final step of the process we'd give the SRK binary map ( public ) so that they can sign the final content by using their private IMG key an CST tool.&lt;/P&gt;&lt;P&gt;thank you&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Wed, 14 Apr 2021 13:37:31 GMT</pubDate>
    <dc:creator>antonio_santagi</dc:creator>
    <dc:date>2021-04-14T13:37:31Z</dc:date>
    <item>
      <title>third party adding key to HABv4 PKI</title>
      <link>https://community.nxp.com/t5/i-MX-Processors/third-party-adding-key-to-HABv4-PKI/m-p/1262037#M172590</link>
      <description>&lt;P&gt;Hello,&amp;nbsp;&lt;/P&gt;&lt;P&gt;we are considering the case where a third party, not owning any of the SRK keys already generated for the HABv4 PKI tree , should generate its own IMG keypair , asks us to sign the public part or certificate by one of the 4 SRK private keys ( we can't give them any SRK private keys ), and then we return the signed IMG public key certificate to them.&lt;/P&gt;&lt;P&gt;In the end we can't give them the SRK private key, and we can't know their IMG private key.&lt;/P&gt;&lt;P&gt;How should we sign the IMG additional key ( public, certificate ) ? Should they send us the CSR ( Certificate Signing Request )&amp;nbsp; ?&lt;/P&gt;&lt;P&gt;I can see on the add_key.sh script that actual signing is involved when generating the certificate :&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;# Generate certificate&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;openssl ca -batch -passin file:./key_pass.txt \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-md ${md} -outdir ./ \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-in ./${key_fullname}_req.pem \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-cert ${signing_crt} \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-keyfile ${signing_key} \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-extfile ../ca/v3_${ca}.cnf \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-out ../crts/${key_fullname}_crt.pem \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-days ${val_period} \&lt;/EM&gt;&lt;BR /&gt;&lt;EM&gt;-config ../ca/openssl.cnf&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;how is best to proceed when third party doesn't want us to see their private key and we can't give them SRK private key ? Should they send us CSR request or are there any other option to directly sign X509 certificate that includes only the public key ?&lt;/P&gt;&lt;P&gt;Of course at the final step of the process we'd give the SRK binary map ( public ) so that they can sign the final content by using their private IMG key an CST tool.&lt;/P&gt;&lt;P&gt;thank you&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 14 Apr 2021 13:37:31 GMT</pubDate>
      <guid>https://community.nxp.com/t5/i-MX-Processors/third-party-adding-key-to-HABv4-PKI/m-p/1262037#M172590</guid>
      <dc:creator>antonio_santagi</dc:creator>
      <dc:date>2021-04-14T13:37:31Z</dc:date>
    </item>
    <item>
      <title>Re: third party adding key to HABv4 PKI</title>
      <link>https://community.nxp.com/t5/i-MX-Processors/third-party-adding-key-to-HABv4-PKI/m-p/1262899#M172662</link>
      <description>&lt;P&gt;Hey, I think I found everything needed. I'll do some tests to verify it works.&lt;/P&gt;&lt;P&gt;CSR request is to be signed by SRK key chosen, or by all of the 4 SRK keys, producing 4 certificates in this latter case.&lt;/P&gt;&lt;P&gt;CSR request can be generated by third party not knowing private SRK keys.&lt;/P&gt;&lt;P&gt;CSR request can be signed by us, producing certificate for public key by SRK private key.&lt;/P&gt;&lt;P&gt;Resulting certificate can be sent back to third party in conjunction with SRK public keys map. Third party then can produce signed images by CST tool.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 15 Apr 2021 14:23:22 GMT</pubDate>
      <guid>https://community.nxp.com/t5/i-MX-Processors/third-party-adding-key-to-HABv4-PKI/m-p/1262899#M172662</guid>
      <dc:creator>antonio_santagi</dc:creator>
      <dc:date>2021-04-15T14:23:22Z</dc:date>
    </item>
    <item>
      <title>Re: third party adding key to HABv4 PKI</title>
      <link>https://community.nxp.com/t5/i-MX-Processors/third-party-adding-key-to-HABv4-PKI/m-p/1263331#M172715</link>
      <description>&lt;P&gt;&lt;a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/120713"&gt;@antonio_santagi&lt;/a&gt;&amp;nbsp;&lt;BR /&gt;Hello&lt;/P&gt;
&lt;P&gt;&amp;nbsp; yes, Your understanding is correct.&lt;/P&gt;
&lt;P&gt;Regards,&lt;BR /&gt;Yuri.&lt;/P&gt;</description>
      <pubDate>Fri, 16 Apr 2021 07:42:55 GMT</pubDate>
      <guid>https://community.nxp.com/t5/i-MX-Processors/third-party-adding-key-to-HABv4-PKI/m-p/1263331#M172715</guid>
      <dc:creator>Yuri</dc:creator>
      <dc:date>2021-04-16T07:42:55Z</dc:date>
    </item>
  </channel>
</rss>

