Generating certificate definition template during factory provision at a mass production level

[umanayana]

I am reviewing the cert_def_1_signer.c source and I see the variable "g_cert_template_1_signer" which is a hex template generated by cert2certdef.py. It looks like these hex template files are generated from the .pem certificate.

1. Are these template (i.e g_cert_template_XXX) always different for each new certificate?
2. Are these template really requires to read the compressed certificate?
3. If this is the case this means that for every device built we need to upload a new template to the device which matches the compressed certificate on the ATECC coprocessor?

[bryan-hunt]

There is an application note with more detail: AN_8974

1. It depends on what has changed. The idea is the template should contain all of the static (unchanging between devices) data. The changing elements will be stored in the device.
2. Generally yes. There is limited storage available in the device so its generally infeasible to store the complete certificate in a device.
3. These are templates - the idea being that a device family should have the same template. We encourage customers to use our provisioning system which takes care of the programming portion using Microchip's factory HSMs for signing the device certificate and saving the dynamic portion into the device (cert serial number, signature, signer info, etc)

[umanayana]

use our provisioning system

What do you mean by this are you referring to having the secure elements provisioned before devliery? If this is the case then can we assume the template file will be provided as well?

On a side note we are investigating have the secure elements provisioned before delivery.

[bryan-hunt]

Yes those will be generated from the finalized certificates. Definitely talk to your FAE as soon as you can to talk this through with you, they can bring in security and provisioning experts on this as needed. Remember the average silicon lead time in the industry right now is quite long so you'll need to have first article approval completed well in advance of production.