Hi,
I work on a Freescale i.mx28 and I use High Assurance Boot (HAB).
When creating certificates with the "hab4_pki_tree.sh" script, which is provided with the Code Signing Tool, I can enter a certificate validity duration of max. 20 years.
What happens after 20 year? Does the i.mx28 not boot anymore? Am I not able to sign software anymore? Or do I have to add new CSF and IMG certificates to sign software with them?
My questions are: Who checks the certificate duration and when? Which certificates have a limited duration (I assume the root-certificate has unlimited duration)?
Best regards,
Chris
Solved! Go to Solution.
Hi Chris,
Currently, if the validity period of the certificate expires nothing will happen. The ROM/HAB does not enforce certificate validity periods and the Code Signing Tool will still allow code to be signed. The intent is to enforce the cert validity periods with the code signing tool. However, feature has not yet been added and is planned as an update to the code signing tool.
Regards,
-Rod
Hi Chris,
Currently, if the validity period of the certificate expires nothing will happen. The ROM/HAB does not enforce certificate validity periods and the Code Signing Tool will still allow code to be signed. The intent is to enforce the cert validity periods with the code signing tool. However, feature has not yet been added and is planned as an update to the code signing tool.
Regards,
-Rod
Hi Rod,
Any update on the certificate expiry and certificate revocation and if the fuses can be revoked?
Regards,
Guru