- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: OPENSSL to verify CSF & IMG certificates
OPENSSL to verify CSF & IMG certificates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
There are three certificates: SRK, CSF & IMG.
SRK is kind of intermediary certificate, whereas CSF and IMG are subordinate or user certificate. The SRK certificate is signed by CA whereas the CSF/IMG are signed by SRK.
I tried to verify the SRK and it works well:
openssl verify -CAfile CA1_sha256_3072_65537_v3_ca_crt.pem SRK1_sha256_3072_65537_v3_ca_crt.pem
SRK1_sha256_3072_65537_v3_ca_crt.pem: OK
Whereas when I try to verify the IMG and CSF with SRK or CA, it doesn't work:
openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca
error 2 at 1 depth lookup:unable to get issuer certificate
openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca
error 2 at 1 depth lookup:unable to get issuer certificate
Can anyone suggest me how to verify CSF & IMG certificates properly?
Greets,
Satya
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I found the solution myself after a bit of googling. It's important to create the chain. So, I did the following
cat SRK1_sha256_3072_65537_v3_ca_crt.pem CA1_sha256_3072_65537_v3_ca_crt.pem > SRK1-CA-chain.pem
openssl verify -CAfile SRK1-CA-chain.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: OK
openssl verify -CAfile SRK1-CA-chain.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: OK
Greets,
Satya
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Hope the following helps.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Yuri.
That is exactly what I did. I combined the certificates of CA and SRK1 into one (CA-SRK1-chain.pem) and then I used that to verify. It worked.
Greetsm
Satya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I found the solution myself after a bit of googling. It's important to create the chain. So, I did the following
cat SRK1_sha256_3072_65537_v3_ca_crt.pem CA1_sha256_3072_65537_v3_ca_crt.pem > SRK1-CA-chain.pem
openssl verify -CAfile SRK1-CA-chain.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: OK
openssl verify -CAfile SRK1-CA-chain.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: OK
Greets,
Satya
