/
Public Key Infrastracture (PKI)

Public Key Infrastracture (PKI)

General

The goal of the PKI project is to implement public key and certificate management via the EST protocol. For this purpose, a new manager was implemented, PKI Manager, which acts as an EST client and is responsible for managing of on-device certificates (certificate deployment, storage and automatic certificate renewal).

Northbound API

The PKI_Config table was added to the OVSDB schema:

Field name

Field type

Example value

Comment

Field name

Field type

Example value

Comment

label

string

default

for which context we are configuring EST Client (use default or empty string for the default device certificate)

server_url

string

https://test.est.plume.com

URL to be used

auth_method

string

cert

authentication type

auth_config

map[string, value]

map[["path", "/var/est"]]

authentication conflagration

renew

boolean

true

when set from false to true device will run re-enroll process

status

enum [

"enrolling",
"overdue",
"expired",
"success",
"error_timeout",
"error_enroll",
"error_cert",
"error_device",

]

enrolling

status of current action

os_persist

boolean

true

if true device will persist this row between reboots.

Southbound API

A new low-level API was added to OpenSync, osp_pki. The API is mainly used for certificate generation (private keys and certificate signing requests – CSR) and certificate storage. The API is broadly designed to support several backends; however, at this moment, only obfuscated encrypted storage is supported.

Kconfig options

  • CONFIG_OSP_PKI_PS - select persistent storage PKI backend (default, and currently the only available backend); automatically selected if CONFIG_MANAGER_PKIM is selected. The options below are available only if CONFIG_OSP_PKI_PS is selected:

    • CONFIG_OSP_PKI_PS_ALGO_P384 use NIST P-384 eliptic curve encryption (default)

    • CONFIG_OSP_PKI_PS_ALGO_P384 use NIST P-256 eliptic curve encryption

    • CONFIG_OSP_PKI_PS_ALGO_ED25519 use ED25519 eliptic curve encryption

    • CONIFG_OSP_PKI_PS_ALGO_RSA4096 use RSA 4096 encryption

    • CONFIG_OSP_PKI_PS_ALGO_RSA3072 use RSA 3072 encryption

  • CONFIG_PKIM_MANAGER - enable PKIM (default), unselect this option to disable PKIM alltogether

Requirements

  • SDK

    • Working persistent storage with encryption support

  • Additional SW libraries or packages plus it’s version

    • libcurl 7.66.0 or greater

    • openssl 1.1.1g or greater