Table of Contents
Advertisement
Transport Layer Security (TLS)
Specifying TLS keys and certificates
Note
For NB-IoT, TCP support is dependent on the network. Contact your network provider for
details.
These AT commands, when used together, let you interact with TLS features:
(TLS Protocol
Version),
format of the $ commands is:
AT$<num>[<ca_cert>];[<client_cert>];[<client_key>]
Where:
num: Profile index. Index zero is used for Transparent mode connections and TLS connections
n
using
Transmit (TX) Request: IPv4 -
ca_cert: (optional) Filename of a file in the certs/ directory. Indicates the certificate identifying
n
a trusted root certificate authority (CA) to use in validating servers. If ca_cert is empty the
server certificate will not be authenticated. This must be a single root CA certificate. The
modules do not allow a non-self signed certificate to work, so intermediate CAs are not
enough.
Note
This module will only work with the originating end of chain Root CA, so you will need to use that
one. For example, with Amazon web services ATS endpoints Digi recommends that you use the
Starfield Services Root Certificate from https://ssl-ccp.secureserver.net/repository/sf-class2-root.crt.
The intermediate "root CAs" from Amazon will not work. You will need the actual end of chain
certificate.
client_cert: (optional) Filename of a file in the certs/ directory. Indicates the certificate
n
presented to servers when requested for client authentication. If client_cert is empty no
certificate is presented to the server should it request one. This may result in mutual
authentication failure.
client_key: (optional) Filename of a file in the certs/ directory. Indicates the private key
n
matching the public key contained in client_cert. This should be a secure file uploaded with
ATFS
XPUT filename. This should always be provided if client_cert is provided and match the
certificate or client authentication will fail.
The default value is ";;". This default value preserves the legacy behavior by allowing the creation of
encrypted connections that are confidential but not authenticated.
To specify a key stored outside of certs/, you can either use a relative path, for example ../server.pem
or an absolute path starting with /flash, for example /flash/server.pem. Both examples refer to the
same file.
It is not an error at configuration time to name a file that does not yet exist. An error is generated if
an attempt to create a TLS connection is made with improper settings.
Files specified should all be in PEM format, not DER.
n
Upload private keys securely with
n
Certificates can be uploaded with
n
possible to use
To authenticate a server not participating in a public key infrastructure (PKI) using CAs, the server
must present a self-signed certificate. That certificate can be used in the ca_cert field to authenticate
that single server.
There are effectively three levels of authentication provided depending on the parameters provided
Digi XBee® 3 Cellular LTE-M/NB-IoT Global Smart Modem User Guide
IP (IP
Protocol),
$0 (TLS Profile
0x20.
ATFS
XPUT filename.
ATFS PUT filename
ATFS GET filename
to GET them if they have been securely uploaded.
Specifying TLS keys and certificates
ATFS (File
0),
$1 (TLS Profile
1), and
$2 (TLS Profile
as they are not sensitive. It is not
System),
TL
2). The
178
Advertisement
Table of Contents
Troubleshooting
