Thales' cellular IoT products business is now part of Telit Cinterion, find out more.

You are here

Community > Forum > Cellular Hardware > keysize restrictions for keystore

keysize restrictions for keystore | Telit Cinterion IoT Developer Community

Like
0
5
jfmorneau's picture
jfmorneau

February 21, 2018 - 10:19pm, 2839 views

I generated a keystore to add to a EHS6 module. To test, I used the example from the "Java User's Guide". Using the commands provided, I am able to insert the customer ME keystore into the module without any problem. I made another test with a keysize of 4096. I restarted from scratch and recreated a new set of SE and ME keystore and a new SetCustomerKeystore.bin file. I removed the previous ME keystore from the module and tried to install the new ME keystore. With the 4096 keysize, I get an error when trying to add the ME keystore to the module.  I get:

AT^SJMSEC="file","SetCustomerKeystore.bin"

^SJMSEC: 2,"wrong command parameter format"

ERROR

Does the modules handle 4096 keysize?

5
Comment
Log in or register to post comments
Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Feb 22 2018 - 10:33am

Hello,

According to Java User's Guide it should be a key size of 2048 used.

Regards,

Bartłomiej

jfmorneau's picture
jfmorneau
Feb 22 2018 - 1:11pm

Hello,

That was not obvious to me that the keysize of 2048 used was an actual limit and not just what was used for the example. Maybe it should be more obvious that 2048 is a limit...

Is that true for all certificates used in the modules? Does that apply to HTTPS client certificates? Because adding a HTTPS client certificate with a 4096 keysize doesn't return an error and the module seems to accept it based on the AT^SJMSEC? command response. However, I have not been able to connect to the server yet and I'm not sure if it's because of the keysize or because of something else in my setup.

Thank you. 

JF

jfmorneau's picture
jfmorneau
Feb 22 2018 - 1:32pm

I just found out that it is clearly specified in ELSx documentation, but it is not the case in the ESHx documentation... 

JF

Bartłomiej Gemalto Moderator's picture
Bartłomiej Gema...
Feb 23 2018 - 10:23am

Hello,

You are right that for ELS61 there's additional note that makes it more clear.

I can't see the maximum key size for server certificate in the documentation. According to R&D statement I have found it is not restricted. 

However currently 2048 is a widely used standard. 

Please also note that for certificate verification on the module you need to load the root certificate (of the certification authority) from the certificate chain and not the server certificate.

Best regards,

Bartłomiej

jfmorneau's picture
jfmorneau
Feb 23 2018 - 12:22pm

Thank you. That makes everything more clear.

JF