Over The Air Update of Security Files
The Security Services on the target platform are accessible using the OTA interface.
The OTA interface allows for:
• Controlled access to the configuration files that are pushed to the Service
• Access to the Security logs to be extracted from the Service.
The log files are uploaded to the Cloud Servers if the platform is correctly registered using the VIN ID.
Downloads Using the Communications Virtual Machine
The security and TLS security files can be downloaded directly to the Communications partition, then pushed to the Security partition.
In this case, the download is available at:
/userdata/otavmclient/download
Supported Files
The supported files are as follows:
security.config
ca_cert.pem
ca_key.pem
cert_req.pem
cert_req_key.pem
client_key.pem
server_cert.pem
server_key.pem
tls_client_ca_chain.pem
To push the files to the security partition
1. Execute the command:
nvsecpush /userdata/otavmclient/download/<filename>
This execution command performs the same action as downloading the files from the Update Service.
2. After transferring the file, remove it from the download directory.
Removal of the file is not automatically performed.
Generating Security Configuration Files
The Security configuration files are bundled with the release files. They can be manually generated using the
Configuration Tool.
Generating TLS Security Configuration Files
The TLS security configuration files are created by using OpenSSL.
For details, consult the OpenSSL website at:
To install Openssl on Linux
1. Navigate to the /home directory and execute these commands:
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
tar -xvzf openssl-1.1.1.tar.gz
cd openssl-1.1.1
./config --prefix=/usr/
make
sudo make install
2. Add the installed tool to your PATH:
export PATH=$PATH:$HOME/openssl-1.1.1/apps
To verify the installation is successful
• Execute the command:
openssl version
The system returns:
OpenSSL 1.1.1 11 Sep 2018
To create the TLS Proxy server certificate files
This procedure describes how to create the following files:
server_key.pem
server_cert.pem
cert_req.pem
cert_req_key.pem
ca_key.pem
ca_cert.pem
1. Create a new directory. For example, $HOME/tls_cert/, then navigate to the newly created directory.
2. Execute these commands:
sudo perl $HOME/openssl-1.1.1/apps/CA.pl -newca
sudo perl $HOME/openssl-1.1.1/apps/CA.pl -newreq
sudo perl $HOME/openssl-1.1.1/apps/CA.pl -sign
For each of these commands, identify the PEM pass phrase, Country code, State, Common Name etc.
Where:
• The PEM pass phrase must be nvidia_proxy.
• The server certificate file must be added to the trusted certificates in the Guest OS; otherwise, the connection is NOT trusted.
If all the information has been entered successfully, the directory now contains the following files and subdirectories:
newcert.pem
newkey.pem
newreq.pem
demoCA/cacert.pem
demoCA/careq.pem
demoCA/certs -empty
demoCA/crl -empty
demoCA/index.txt
demoCA/index.txt.attr
demoCA/index.txt.attr.old
demoCA/index.txt.old
demoCA/serial
demoCA/serial.old
demoCA/private/cakey.pem
demoCA/newcerts/xxxxxxxxxxxx.pem -Root ca certificate
demoCA/newcerts/yyyyyyyyyyyy.pem -sub-certificate
To convert the encrypted private key to RSA private key
• Execute the command:
sudo openssl rsa -in newkey.pem -out newkey_rsa.pem
To rename the files
Once all the Server certificate files have been generated, they must be renamed to match the naming convention for the Security Services as follows:
newkey_rsa.pem -> server_key.pem
newcert.pem -> server_cert.pem
demoCA/private/cakey.pem -> ca_key.pem
demoCA/cacert.pem -> ca_cert.pem
newreq.pem -> cert_req.pem
newkey.pem -> cert_req_key.pem
Note: | When generating a new TLS proxy server certificate (server_cert.pem), the user must ensure the certification information is added to the local certificate storage on the Guest OS. For example, for a Linux Guest OS, the user must update/add the security information to the file: /etc/ssl/certs/ca-certificates.crt Or add the security information as a separate file/link at the certs directory at: /etc/ssl/certs |
To create TLS Proxy client certificate files
The TLS Proxy client files are:
client_cert.pem
client_key.pem
1. Execute this command to create the certificate key:
openssl req -x509 -newkey rsa:2048 -keyout client_key.pem -out client_cert.pem -days 365 -nodes
2. Provide the Country, State, Common Name etc.
3. Run this string to check the expiration date of the certificate:
openssl x509 -enddate -noout -in client_cert.pem
TLS Proxy CA certificate list
tls_client_ca_chain.pem
The Certificate Authority Trust chain file is likely to require frequent updates because it contains the certificate authentication details for the signing Certificate Authorities. The data for this file is available at:
The certificate collection is kept in a proprietary format and must be converted before it can be loaded into any OpenSSL libraries.
For example, by using this Curl project tool:
The Curl project provides a ready available version in .pem format at:
Once downloaded, or generated, the file must be in the .pem format and renamed to tls_client_ca_chain.pem
Note: | If there are any local certificates that are used on the system, they must be manually added to the tls_client_ca_chain.pem file; otherwise the TLS proxy is not trusted by the remote server. |
