Mbed forum

How to load multiple Root CA certificates?

(Alan Chen) #1

Hi, I am new to the mbedTLS library. So far I have managed to get my embedded device (a 32-bit MCU board) to perform a HTTPS file download with a specific Root CA using the mbedtls_x509_crt_parse() API call. However, I am not sure how to add multiple root CA certs. I read somewhere in this forum that multiple root CA pem files can be merged into one C style string. I tried and it seemed to work. Is this the right way or should I call mbedtls_x509_crt_parse() multiple times with different certs? Thanks.

0 Likes

(Ron Eldor) #2

Hi @acpie360
Yes, this is the right way.
You should concatenate all your desired CA certificates in PEM format into one file.
An example for such a certificate can be found in test-ca_cat21.crt
Regards,
Mbed TLS Team member
Ron

0 Likes

(Alan Chen) #3

Thanks!

0 Likes

(Alan Chen) #4

Ron, the example you gave for a concatenated cert helps a lot. However, I am still interested in knowing if I can add root CA certs on an as-needed basis, instead of loading all of them as a whole. The reason for doing so is that I am working off a small 32-bit MCU and I am concerned with the memory consumption and response speed.

Perhaps a general question to the community - How do you store certificate PEM files in C code without having a file system? To make a cert that looks like a C string, I have to add ā€˜\nā€™ on every line, for example,

 const unsigned char baltimore_trust[] =
"-----BEGIN CERTIFICATE-----\n\
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\n\
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\n\
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\n\
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\n\
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\n\
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\n\
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\n\
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\n\
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\n\
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\n\
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\n\
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\n\
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\n\
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\n\
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\n\
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\n\
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\n\
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\n\
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\n\
-----END CERTIFICATE-----";

Is there a better way of doing this?

0 Likes

(Ron Eldor) #5

@acpie360
I answered whether concatenating the files is the right way:)

I believe that this PR should address your issue.

0 Likes