SSL Sample App

The certificate generation code in the SSL sample app runs every time the program runs. Is this required, or could the certificate be generated once and stored in NVRAM and reused for subsequent runs? Any examples on how this would be done?

Did you ever get an answer to this? In our last project we did exactly this.

Basically, we just generate the certificate using NASSLX509Generate() and then store the key, key length, certificate and certificate length in NVRam. On the next boot we check to see if the certificate is there and if it is we use that to start our secure server. If it’s not we generate it and store it.

I have a follow up question for anyone listening though. Does anyone have code to decode a cert.der file? I’d like to download a cert.der file and use that as our certificate. As far as I can tell the cert.der file is used verbatim for the certificate portion in the call:

int RpHSStartServerSecure(unsigned char * cipher_list, int cipher_list_len, char * certificate, int certificate_len, char * key, int key_len, char secure_only);

But where do I get the key if I download this file? Is the key in the file or is it generated from the info in the file?

No, no response. I actually ended up using OpenSSL (see thread titled “Attn: eqawtry”). I’ve yet to delve into the certificate generation and checking portions, as it took me a while just to get Soap transactions working over OpenSSL. Will probably do that soon. I assume OpenSSL has the tools you need to convert keys from one type to another. The Digi SSL stuff is supposedly derived from OpenSSL, so it must be able to handle the right formats (well, one would hope).

How long did it take you to port openSSL over? I understand that’s quite a job.

I didn’t do the port, eqawtry did, and put a zip file up in the above mentioned thread. I had to change a few bits, also noted in that thread.

So far, it works as expected. However, I don’t think you’ll be able to serve https web pages with it, as you have to replace libssl and libcrypto. Perhaps it is possible to use both at once, but at a huge memory penalty, and I don’t know how it would be done. I assume the web server uses the NASSL* functions internally. Perhaps these can be recreated, I don’t know. There aren’t too many of them (four in Net+OS 6, about 15 in 6.3, if I am counting correctly).

BTW, would it be possible for you to share your cert store and restore code? This might come in handy for future apps that don’t need full OpenSSL.

Sure, it’s pretty simple, I’m doing a release today, but I’ll try and post it tomorrow.