We’re trying to test mutual TLS authentication with the XBee3 Cellular modules (both the CAT1 and the LTE-M), and we’re starting out with self-signed certificates for both the server and client certificates for our test server. We’re having authentication issues and we believe one issue that we don’t know the correct way to create self-signed certificates using openssl.
Does anyone have an example of how to use openssl to create a self-signed server certificate and client certificates that will work with the Xbee Cellular modems?
1 Like
The only limitation on the Xbee Cellular platforms are only one certificate is allowed per file. Details: https://www.digi.com/resources/documentation/digidocs/90001525/default.htm#reference/r_tls_cert_limits.htm%3FTocPath%3DTransport%2520Layer%2520Security%2520(TLS)|_____5
The RSA PKCS#1 format is the only common format across XBee Cellular device variants. You can identify a PKCS#1 key file by the presence of BEGIN RSA PRIVATE KEY in the file header.
If you search the internet for how to use openssl, you should have success on the XBee Cellular products. Example:
https://blog.cloudboost.io/implementing-mutual-ssl-authentication-fc20ab2392b3
Also make sure you have configured the device correctly.
Set AT$0 appropriately:
https://www.digi.com/resources/documentation/digidocs/90001525/default.htm#reference/r_cmd__0.htm%3FTocPath%3DAT%2520commands|Network%2520commands|_____3
Make sure the cert files are on the device where you specify.
The docs have everything documented you need to complete your task.
1 Like
There’s one detail related to creating the certificates that I can’t find related to the XBee3 cellular modules. When creating the keys, can the keys for the client certificate be created with a password or not? I can’t find anywhere a place that specifically states if either way will work or not.
You will not use a password. The XBee device will encrypt the private key appropriately when you upload it as a secure file. You can Upload private keys securely with ATFS XPUT filename (Or there is an option in XCTU file manager).
Make sure that the files are in the cert directory.
The Docs here describe that process:
https://www.digi.com/resources/documentation/digidocs/90001525/default.htm#reference/r_tls_at_cmds.htm?Highlight="Upload%20private%20keys%20securely%20with"