MbedTLS v.1.2 handshake

MohitGediya — Mon, 01 Jun 2026 09:25:11 GMT

I want to offload TLS v.1.2 handshake process to SE052 Secure element IC from host ESP32c3devkitm.
It is act as server, which is v.3.7.0 zephyr based sample application.
There is no support is added in module to offload whole cryptographic operations to SE.

I go though "SE05x IoT applet APDU Specification". Using this document, I was thinking i can create wrapper function using APDU commands. Which is working based on directly perform operation on SE052.

There is Understanding gap for certificate stores.
If I store CA certificate or server certificate inside SE052, than how it will become part of TLS handshake using SE052 ICs.

If I will not stores it inside SE052 than how to add support for TLS handshake process.(Whole handshake process is offloaded to SE052).

What approach should I use to handshake offloads to SE052 from host controller.
What maximum operations can i performs.
I can create wrapper function for possible each process.

@Kan @kan_li

Re: MbedTLS v.1.2 handshake

Kan_Li — Wed, 03 Jun 2026 00:42:46 GMT

Hi @MohitGediya ,

No—you should not design this as a full TLS 1.2 handshake offload to SE052. The host TLS stack may use SE05x/SE052 as a secure crypto co-processor , but not as a standalone TLS engine that owns the complete TLS protocol state machine. The host MCU/RTOS still runs mbedTLS/Zephyr TLS, parses and builds handshake messages, manages certificate exchange/validation flow, and uses the secure element for selected cryptographic operations and secure credential storage such as :

random generation, ECDH/ECDHE-related secret derivation, and ECDSA or RSA sign/verify/decrypt depending on configuration and key type.

For your questions:

1)If I store CA certificate or server certificate inside SE052, than how it will become part of TLS handshake using SE052 ICs.

It becomes part of the handshake only after the host retrieves or associates that certificate with the TLS stack . The middleware example shows the certificate being read from the SE, parsed on the host, and then used by mbedTLS; the private key remains referenced inside the SE for sign/ECDH operations.

For CA certificates specifically, the common architecture is that the host uses the CA certificate to verify the peer certificate chain.

2) If I will not stores it inside SE052 than how to add support for TLS handshake process.

You can still do the handshake normally by:

keeping the certificate chain in host memory/flash
loading it into mbedTLS on the host
keeping only the private key in SE052 and associating it as a reference key for sign/ECDH operations

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

topic Re: MbedTLS v.1.2 handshake in Secure Authentication

MbedTLS v.1.2 handshake

Re: MbedTLS v.1.2 handshake