Generating a Certificate Signing Request (CSR) Using Zymkey

Zymkey can be used as part of the client side TLS transaction against a server that is configured for mutual authentication.

A CSR can be generated using Zymkey. This CSR can be used to generate a certificate from a preferred Certificate Authority or CA (for example: GoDaddy, Comodo or Verisign) or against your own self signed root CA.

To generate a CSR with one of Zymkey’s key slots, simply type the following OpenSSL commands on your Raspberry Pi:

touch bogus.key
openssl req -key bogus.key -new -out myClientCert.csr -engine zymkey_ssl -keyform e

The first touch command is needed because, even though we’re using a key slot located in the Zymkey, openssl wants a placeholder file for the key.

After answering the questions (Country Name, State or Province, etc.) you should have your certificate signing request (myClientCert.csr) that you can present to your preferred CA for certificate generation.

1 Like

Hi,
I have successfully used Zymkey as the client side of mutual TLS authentication when the CSR is created with the zk slot 0. However, if I try the same using e.g. zk slot 1, it fails. The CSR file is created, and a certificate is created by signing with my CA cert, but the TLS authentication fails.

I have set the env var ZK_SSL_SLOT=1 for the CSR command as described here: Creating CSR - #2 by Bob_of_Zymbit

How can I use zk slot 1 or 2 for the CSR?

Can you show us what you’ve already tried? What code you are using to creat the car, and what code you are using to try to access the slot? That will be helpful in us determining what may be going wrong.

Best Regards,
dg

I have used the script zymkey-init.sh to initialize a slot and generate the CSR. Once I have the CSR I sign it with my CA, upload the certificate to the server (nRF Cloud), and use the awsiot library to connect to the server, e.g. as shown in zymkey_test.py. It works for zk-slot 0.

csr-test.zip (3.2 KB)

Have you been able to look at this?
Is the ZK_SSL_SLOT env var used to tell the zymkey_ssl engine which key to use?

Are you able to tell me how to use zk_slots other than 0 for mutual TLS authentication?
Regards