AnsweredAssumed Answered error adding further SRK key to SRK table

Question asked by Antonio Santagiuliana on May 12, 2020
Latest reply on May 26, 2020 by Yuri Muhin


I am using script to add a new SRK key ( SRK3 ) to an already done PKIT tree containing 2 SRK keys ( SRK1 and SRK2 ).

I answer the questions as follow :

Which version of HAB/AHAB do you want to generate the key for (4 = HAB4 / a = AHAB)?: 4
Enter new key name (e.g. SRK5): SRK3
Enter new key type (ecc / rsa): rsa
Enter new key length in bits: 4096
Enter certificate duration (years): 10
Is this an SRK key?: yes
Enter SRK signing key name: ..path..CA1_sha256_4096_65537_v3_ca_key.pem
Enter SRK signing certificate name: ..path..CA1_sha256_4096_65537_v3_ca_crt.pem
Generating RSA private key, 4096 bit long modulus (2 primes)


SRK3 private/public key pair is generated.

Now I try generating theSRK table and the fuse map with the 3 SRK keys ( 2 SRK keys added when builing the PKI tree at the beginning and this SRK3 key just added ).

I get the error message :


[ERROR] SRKTOOL: All certificates must be either CA or user certs


Why does this happen ? 

SRK1 and SRK2 were defined at the beginning with CA flag set to 'yes': 

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 2
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

that means that IMG1,IMG2,CST1,CST2 keys were also generated.

I then tried to add also IMG3 and CST3 keys signed by the new SRK3 key, by using script , but I anyway got the same error then when I tried to generate the SRK table and fuse map with SRK1, SRK2, SRK3.


If I generate instead initially SRK tree with 2 keys, SRK1 and SRK2, with CA flag set to no, then I don't get any error if I build SRK table after I added SRK3 with script


In summary, does it mean that if I want to add an SRK key later to a PKI tree with two SRK keys already generated I need to generate all the SRK keys with CA not set ?


And then does it mean that I cannot have IMG and CST keys ? Selecting  Do you want the SRK certificates to have the CA flag set? (y/n)?: n

'n' here means we switch to use fast authentication so only SRK key is used, is that right ?

Can I use this fast authentication configuration on iMx8M Mini ? I read that it is supported only from HAB 4.1.2.


Or what other limitations are there if I want to add SRK keys later ?


thank you