2.2.1.7 Certificates Dynamic Storage

X.509 Certificates

X.509 Certificates are not a required part of the LoRaWAN security specification. If so desired, a given application may add additional security through use of X.509 Certificates. The ATECC608B-TNGLoRaWAN device has a dedicated Slot 8 for X.509 Certificates. Certificates are saved in a compressed format. This technique may be better called a partial certificate as it stores dynamic certificate information on the device and imposes some limitations. Dynamic information is certificate content that can be expected to change from device to device (e.g., public key, validity dates, etc.). Firmware is expected to have a certificate definition (atcacert_def_t from CryptoAuthLib) with a template of the full X.509 Certificate containing static information (data that are the same for all certificates) and instructions on how to rebuild the full certificate from the dynamic information in the compressed certificate.

The following application note documents the compressed certificate format: ATECC Compressed Certificate Definition.

The CryptoAuthLib library also contains the atcacert module for working with compressed certificates.

Signer Public Key

The signer public key is the public key needed to verify the signer and the information that is associated with the signer compressed certificate. For the ATECC608B-TNGLoRaWAN, this is stored in Slot 8 in the first 72 bytes.

Device Certificate

The Device certificate consists of information associated with the actual end unit for the ATECC608B-TNGLoRaWAN.

Signer Certificate

The Signer certificate consists of the information associated with the signer used to sign the Device certificate. For the ATECC608B-TNGLoRaWAN.

The following table shows the storage locations for the various elements of the ATECC608B-TNGLoRaWAN X.509 Certificate.

Table 2-5. Slot 8 Storage
ItemSlot #Bytes
Signer Public Key8[0:71]
Device Certificate8[72:143]
Signer Certificate8[144:215]
Additional Data Storage8[216-415]