4.5.3 Certificate Storage

The amount of storage required for a full X.509 Certificate within the device can rapidly use up multiple EEPROM memory slots. Depending on the actual application, it may or may not be desirable to use these slots for certificate storage. Due to these memory limitations, Microchip has defined an encoding that allows for a full X.509 Certificate to be reconstructed from a minimal amount of information.

The host system would actually be responsible for reconstructing the full X.509 Certificate but how to do this will be determined by the data stored in the encoded certificate. Data that are common to all devices for a given system can readily be stored in the host system. Other data can readily be calculated or extracted from data that are already stored in the device. Table 4-12 indicates the type of data that are stored in an X.509 Certificate and how it can be encoded to fit into a single 72-byte slot.

Table 4-12. Certificate Storage
X.509 Certificate Encoded Certificate
X.509 Element Size (Bytes) Encoded Certificate Element Device Cert (Bits) Signer Cert (Bits)
Serial Number 8-20 Serial number source 4 4
Issue Date 13 Compressed format 19 19
Expiry Date 13 # of years before expiration 5 5
Signer ID2 4 ID of the specific signer used to sign the certificate (device cert) or of the signer itself (signer cert) 16 16
AuthorityKeyIdentifier 20 SHA1 HASH of the authority public key 0 0
SubjectKeyIdentifier 20 SHA1 HASH of the subject public key 0 0
Signature R 32 Stored in device 256 256
Signature S 32 Stored in device 256 256
Public Key X1 32 Calculated from the private key or stored in the device1 0 256
Public Key Y1 32 Calculated from the private key or stored in the device1 0 256
n/a 0 Cert format 4 4
n/a 0 Template ID 4 4
n/a 0 Chain ID 4 4
n/a 0 Reserved/User Defined 8 8
Total (206-218 bytes)

576 bits
(72 bytes)

1088 bits
(136 bytes)

Note:
  1. For the device certificate, the device public key can be regenerated from the private key. For the signer certificate, the public key is typically stored in a separate slot.
  2. For the device certificate, the ID of the signer used to sign the certificate is stored. For the signer certificate, the actual ID of the signer is stored so that the device can identify it.

Slot 8 contains a total of 416 bytes. Depending on the size of the serial number stored in the cert, it may or may not be possible to store two complete certificates. Often within devices where a chain of trust has been created, the device certificate, the signer certificate and the signer public key must be stored within the device.

For more information, see the Compressed Certificate Definition Application Note.