The ATECC608A-TNGTLS storage is centered around securely holding keys. Since X.509 certificates tend to be larger than what will fit into a single ATECC608A-TNGTLS device slot, a compressed format is used. This technique may be better called a partial certificate as it stores dynamic certificate information on the device and imposes some limitations. Dynamic information is certificate content that can be expected to change from device to device (e.g., public key, validity dates, etc.). Firmware is expected to have a certificate definition (atcacert_def_t from CryptoAuthLib) with a template of the full X.509 certificate containing static information (data that are the same for all certificates) and instructions on how to rebuild the full certificate from the dynamic information in the compressed certificate.
The following application note documents the compressed certificate format: ATECC Compressed Certificate Definition.
The CryptoAuthLib library also contains the atcacert module for working with compressed certificates.
The device certificate consists of information associated with the actual end unit. For the ATECC608A-TNGTLS, the device certificate is stored in Slot #10. The IEEE MAC address is part of the device certificate as a Subject Alternative Name (SAN) serial number object. The MAC address data is stored in Slot #5 of the device as ASCII-hex and can be read in the clear directly from that slot, or can be read from the certificate by rebuilding the device certificate using CryptoAuthLib's atcacert module and the Trust&GO certificate definition, which is also part of CryptoAuthLib.
The signer certificate consists of the information associated with the signer certificate authority used to sign the device certificate. For the ATECC608A-TNGTLS, the signer certificate is stored in Slot #12. The signer public key is also required to rebuild the full signer certificate.
The signer public key is the public key needed to verify the signer and the information that is associated with the signer compressed certificate. For the ATECC608A-TNGTLS, it is stored in Slot #11.
The following table shows all the slots associated with certificates in the ATECC608A-TNGTLS:
| Slot | Description |
|---|---|
| 0 | Primary private key. The public key can be generated
at any time using the GenKey command in Mode =
0x00. |
| 5 | MAC EUI-48 Address. Included as part of the device certificate. |
| 10 | Device certificate. This is stored here in a compressed format. See Section Certificate Storage. |
| 11 | Signer public key. See Section Public Key Formats. |
| 12 | Signer certificate. This is stored in a compressed format. See Section Certificate Storage. |
These certificates are also permanent and the slots they are stored in cannot be changed.