Amazon FreeRTOS
User Guide

Using the OTA Update Demo Application on the TI CC3220SF-LAUNCHXL

This section will walk you through using the OTA Update demo application on the Texas Instruments CC3220SF-LAUNCHXL. You will create a code-signing certificate, install an initial version of the demo application (firmware), update the version of the firmware, upload the new version of the firmware and then create an OTA update job that will perform the over the air update on your Texas Instruments CC3220SF-LAUNCHXL.

Create a Code-Signing Certificate and Private Key

To digitally sign firmware images, you need a code-signing certificate and private key. For testing purposes, you can create a self‐signed certificate and private key. For production environments, purchase a certificate through a well‐known certificate authority (CA).

Creating Code-Signing Certificates for Texas Instruments CC3220SF-LAUNCHXL

The SimpleLink Wi-Fi CC3220SF Wireless Microcontroller Launchpad Development Kit supports two certificate chains for firmware code signing:

  • Production (certificate-catalog)

    To use the production certificate chain, you must purchase a commercial code-signing certificate and use the TI Uniflash tool to set the board to production mode.

  • Testing and development (certificate-playground)

    The playground certificate chain allows you to try out OTA updates with a self‐signed code-signing certificate.

Install the SimpleLink CC3220 SDK version By default, the files you need are located here:

C:\ti\simplelink_cc32xx_sdk_1_40_01_00\tools\cc32xx_tools\certificate-playground (Windows)

/Applications/Ti/simplelink_cc32xx_sdk_1_40_01_00/tools/cc32xx_tools/certificate-playground (macOS)

The certificates in the SimpleLink CC3220 SDK are in DER format. You need to convert them to PEM format to create a self‐signed code-signing certificate.

Follow these steps to create a code-signing certificate that is linked to the Texas Instruments playground certificate hierarchy and meets AWS Certificate Manager and Code Signing for Amazon FreeRTOS criteria.

To create a self‐signed code signing certificate

  1. In your working directory, use the following text to create a file named cert_config. Replace with your email address.

    [ req ] prompt = no distinguished_name = my dn [ my dn ] commonName = [ my_exts ] keyUsage = digitalSignature extendedKeyUsage = codeSigning
  2. Create a private key and certificate signing request (CSR):

    openssl req -config cert_config -extensions my_exts -nodes -days 365 -newkey rsa:2048 -keyout tisigner.key -out tisigner.csr
  3. Convert the Texas Instruments playground root CA private key from DER format to PEM format.

    The TI playground root CA private key is located here:

    C:\ti\simplelink_cc32xx_sdk_1_40_01_00\tools\cc32xx_tools\certificate-playground\dummy-root-ca-cert-key (Windows)

    /Applications/Ti/simplelink_cc32xx_sdk_1_40_01_00/tools/cc32xx_tools/certificate-playground/dummy-root-ca-cert-key (macOS)

    openssl rsa -inform DER -in dummy-root-ca-cert-key -out dummy-root-ca-cert-key.pem
  4. Convert the Texas Instruments playground root CA certificate from DER format to PEM format.

    The TI playground root certificate is located here:

    C:\ti\simplelink_cc32xx_sdk_1_40_01_00\tools\cc32xx_tools\certificate-playground/dummy-root-ca-cert (Windows)

    /Applications/Ti/simplelink_cc32xx_sdk_1_40_01_00/tools/cc32xx_tools/certificate-playground/dummy-root-ca-cert (macOS)

    openssl x509 -inform DER -in dummy-root-ca-cert -out dummy-root-ca-cert.pem
  5. Sign the CSR with the Texas Instruments root CA:

    openssl x509 -extfile cert_config -extensions my_exts -req -days 365 -in tisigner.csr -CA dummy-root-ca-cert.pem -CAkey dummy-root-ca-cert-key.pem -set_serial 01 -out tisigner.crt.pem -sha1
  6. Convert your code-signing certificate (tisigner.crt.pem) to DER format:

    openssl x509 -in tisigner.crt.pem -out tisigner.crt.der -outform DER


    You write the tisigner.crt.der certificate onto the TI development board later.

  7. Import the code-signing certificate, private key, and certificate chain into AWS Certificate Manager:

    aws acm import-certificate --certificate file://tisigner.crt.pem --private-key file://tisigner.key --certificate-chain file://dummy-root-ca-cert.pem

    This command displays an ARN for your certificate. You need this ARN when you create an OTA update job.


    This step assumes you are going to use the Code Signing for Amazon FreeRTOS service to sign your firmware images. Although the use of the service is recommended, you can sign your firmware images manually.