4.5.3 Certificate Storage

The amount of storage required for a full X.509 Certificate within the device can rapidly use up multiple EEPROM memory slots. Depending on the actual application, it may or may not be desirable to use these slots for certificate storage. Due to these memory limitations, Microchip has defined an encoding that allows for a full X.509 Certificate to be reconstructed from a minimal amount of information.

The host system would actually be responsible for reconstructing the full X.509 Certificate but how to do this will be determined by the data stored in the encoded certificate. Data that are common to all devices for a given system can readily be stored in the host system. Other data can readily be calculated or extracted from data that are already stored in the device. Table 4-12 indicates the type of data that are stored in an X.509 Certificate and how it can be encoded to fit into a single 72-byte slot.

Table 4-12. Certificate Storage
X.509 CertificateEncoded Certificate
X.509 ElementSize (Bytes)Encoded Certificate ElementDevice Cert (Bits)Signer Cert (Bits)
Serial Number8-20Serial number source44
Issue Date13Compressed format1919
Expiry Date13# of years before expiration55
Signer ID24ID of the specific signer used to sign the certificate (device cert) or of the signer itself (signer cert)1616
AuthorityKeyIdentifier20SHA1 HASH of the authority public key00
SubjectKeyIdentifier20SHA1 HASH of the subject public key00
Signature R32Stored in device256256
Signature S32Stored in device256256
Public Key X132Calculated from the private key or stored in the device10256
Public Key Y132Calculated from the private key or stored in the device10256
n/a0Cert format44
n/a 0Template ID44
n/a0Chain ID44
n/a0Reserved/User Defined88
Total(206-218 bytes)

576 bits
(72 bytes)

1088 bits
(136 bytes)

Note:
  1. For the device certificate, the device public key can be regenerated from the private key. For the signer certificate, the public key is typically stored in a separate slot.
  2. For the device certificate, the ID of the signer used to sign the certificate is stored. For the signer certificate, the actual ID of the signer is stored so that the device can identify it.

Slot 8 contains a total of 416 bytes. Depending on the size of the serial number stored in the cert, it may or may not be possible to store two complete certificates. Often within devices where a chain of trust has been created, the device certificate, the signer certificate and the signer public key must be stored within the device.

For more information, see the Compressed Certificate Definition Application Note.