Certificate Storage

The amount of storage required for a full X.509 Certificate within the device can rapidly use up multiple EEPROM memory slots. Depending on the actual application, it may or may not be desirable to use these slots for certificate storage. Due to these memory limitations, Microchip has defined an encoding that allows for a full X.509 Certificate to be reconstructed from a minimal amount of information.

The host system would actually be responsible for reconstructing the full X.509 Certificate but how to do this will be determined by the data stored in the encoded certificate. Data that are common to all devices for a given system can readily be stored in the host system. Other data can readily be calculated or extracted from data that are already stored in the device. Table 1 indicates the type of data that are stored in an X.509 Certificate and how it can be encoded to fit into a single 72-byte slot.

Table 1. Certificate Storage
X.509 Certificate		Encoded Certificate
X.509 Element	Size (Bytes)	Encoded Certificate Element	Device Cert (Bits)	Signer Cert (Bits)
Serial Number	8-20	Serial number source	4	4
Issue Date	13	Compressed format	19	19
Expiry Date	13	# of years before expiration	5	5
Signer ID²	4	ID of the specific signer used to sign the certificate (device cert) or of the signer itself (signer cert)	16	16
AuthorityKeyIdentifier	20	SHA1 HASH of the authority public key	0	0
SubjectKeyIdentifier	20	SHA1 HASH of the subject public key	0	0
Signature R	32	Stored in device	256	256
Signature S	32	Stored in device	256	256
Public Key X¹	32	Calculated from the private key or stored in the device¹	0	256
Public Key Y¹	32	Calculated from the private key or stored in the device¹	0	256
n/a	0	Cert format	4	4
n/a	0	Template ID	4	4
n/a	0	Chain ID	4	4
n/a	0	Reserved/User Defined	8	8
Total	(206-218 bytes)	—	576 bits (72 bytes)	1088 bits (136 bytes)

Notes:

1.For the device certificate, the device public key can be regenerated from the private key. For the signer certificate, the public key is typically stored in a separate slot.
2.For the device certificate, the ID of the signer used to sign the certificate is stored. For the signer certificate, the actual ID of the signer is stored so that the device can identify it.

Slot 8 contains a total of 416 bytes. Depending on the size of the serial number stored in the cert, it may or may not be possible to store two complete certificates. Often within devices where a chain of trust has been created, the device certificate, the signer certificate and the signer public key must be stored within the device.

For more information, see the Compressed Certificate Definition Application Note.