X.509 Certificates are not a required part of the LoRaWAN security specification. If so desired, a given application may add additional security through use of X.509 Certificates. The ATECC608A-TNGLoRaWAN device has a dedicated Slot 8 for X.509 Certificates. Certificates are saved in a compressed format. This technique may be better called a partial certificate as it stores dynamic certificate information on the device and imposes some limitations. Dynamic information is certificate content that can be expected to change from device to device (e.g., public key, validity dates, etc.). Firmware is expected to have a certificate definition (atcacert_def_t from CryptoAuthLib) with a template of the full X.509 Certificate containing static information (data that are the same for all certificates) and instructions on how to rebuild the full certificate from the dynamic information in the compressed certificate.
The following application note documents the compressed certificate format: ATECC Compressed Certificate Definition.
The CryptoAuthLib library also contains the atcacert module for working with compressed certificates.
The signer public key is the public key needed to verify the signer and the information that is associated with the signer compressed certificate. For the ATECC608A-TNGLoRaWAN, this is stored in Slot 8 in the first 72 bytes.
The Device certificate consists of information associated with the actual end unit for the ATECC608A-TNGLoRaWAN.
The Signer certificate consists of the information associated with the signer used to sign the Device certificate. For the ATECC608A-TNGLoRaWAN.
The following table shows the storage locations for the various elements of the ATECC608A-TNGLoRaWAN X.509 Certificate.
| Item | Slot # | Bytes |
|---|---|---|
| Signer Public Key | 8 | [0:71] |
| Device Certificate | 8 | [72:143] |
| Signer Certificate | 8 | [144:215] |
| Additional Data Storage | 8 | [216-415] |