Creating a code-signing certificate for the Texas Instruments CC3220SF-LAUNCHXL

Important

This reference integration is hosted on the Amazon-FreeRTOS repository which is deprecated. We recommend that you start here when you create a new project. If you already have an existing FreeRTOS project based on the now deprecated Amazon-FreeRTOS repository, see the Amazon-FreeRTOS Github Repository Migration Guide.

The SimpleLink Wi-Fi CC3220SF Wireless Microcontroller Launchpad Development Kit supports two certificate chains for firmware code signing:

• Production (certificate-catalog)

  To use the production certificate chain, you must purchase a commercial code-signing certificate and use the TI Uniflash tool to set the board to production mode.

• Testing and development (certificate-playground)

  The playground certificate chain allows you to try out OTA updates with a self‐signed code-signing certificate.

Use the AWS Command Line Interface to import your code-signing certificate, private key, and certificate chain into AWS Certificate Manager. For more information see Installing the AWS CLI in the AWS Command Line Interface User Guide.

Download and install the latest version of SimpleLink CC3220 SDK. By default, the files you need are located here:

C:\ti\simplelink_cc32xx_sdk_version\tools\cc32xx_tools\certificate-playground (Windows)

/Applications/Ti/simplelink_cc32xx_version/tools/cc32xx_tools/certificate-playground (macOS)

The certificates in the SimpleLink CC3220 SDK are in DER format. To create a self‐signed code-signing certificate, you must convert them to PEM format.

Follow these steps to create a code-signing certificate that is linked to the Texas Instruments playground certificate hierarchy and meets AWS Certificate Manager and Code Signing for AWS IoT criteria.

Note

To create a code signing certificate, install OpenSSL on your machine. After you install OpenSSL, make sure that openssl is assigned to the OpenSSL executable in your command prompt or terminal environment.

To create a self‐signed code signing certificate

1. Open a command prompt or terminal with administrator permissions.

2. In your working directory, use the following text to create a file named cert_config.txt. Replace test_signer@amazon.com with your email address.

   [ req ]
   prompt             = no
   distinguished_name = my dn
   
   [ my dn ]
   commonName = test_signer@amazon.com
   
   [ my_exts ]
   keyUsage         = digitalSignature
   extendedKeyUsage = codeSigning

3. Create a private key and certificate signing request (CSR):

   openssl req -config cert_config.txt -extensions my_exts -nodes -days 365 -newkey rsa:2048 -keyout tisigner.key -out tisigner.csr

4. Convert the Texas Instruments playground root CA private key from DER format to PEM format.

   The TI playground root CA private key is located here:

   C:\ti\simplelink_cc32xx_sdk_version\tools\cc32xx_tools\certificate-playground\dummy-root-ca-cert-key (Windows)

   /Applications/Ti/simplelink_cc32xx_sdk_version/tools/cc32xx_tools/certificate-playground/dummy-root-ca-cert-key (macOS)

   openssl rsa -inform DER -in dummy-root-ca-cert-key -out dummy-root-ca-cert-key.pem

5. Convert the Texas Instruments playground root CA certificate from DER format to PEM format.

   The TI playground root certificate is located here:

   C:\ti\simplelink_cc32xx_sdk_version\tools\cc32xx_tools\certificate-playground/dummy-root-ca-cert (Windows)

   /Applications/Ti/simplelink_cc32xx_sdk_version/tools/cc32xx_tools/certificate-playground/dummy-root-ca-cert (macOS)

   openssl x509 -inform DER -in dummy-root-ca-cert -out dummy-root-ca-cert.pem

6. Sign the CSR with the Texas Instruments root CA:

   openssl x509 -extfile cert_config.txt -extensions my_exts  -req -days 365 -in tisigner.csr -CA dummy-root-ca-cert.pem -CAkey dummy-root-ca-cert-key.pem -set_serial 01 -out tisigner.crt.pem -sha1

7. Convert your code-signing certificate (tisigner.crt.pem) to DER format:

   openssl x509 -in tisigner.crt.pem -out tisigner.crt.der -outform DER

   Note

   You write the tisigner.crt.der certificate onto the TI development board later.

8. Import the code-signing certificate, private key, and certificate chain into AWS Certificate Manager:

   aws acm import-certificate --certificate fileb://tisigner.crt.pem --private-key fileb://tisigner.key --certificate-chain fileb://dummy-root-ca-cert.pem

   This command displays an ARN for your certificate. You need this ARN when you create an OTA update job.

   Note

   This step is written with the assumption that you are going to use Code Signing for AWS IoT to sign your firmware images. Although the use of Code Signing for AWS IoT is recommended, you can sign your firmware images manually.