Generating a certificate with a private ATECC key


My goal is to connect a device to AWS IoT using a private ECC key generated within the ATECC608. I have already successfully connected a device by generating a key/crt with openssl and then writing the key to the ATECC (as per the security guide instructions), but now want to test generating a secret key on the ATECC.

I followed the process using the generic sample setup for the ATECC, as per the Security user guide

I generated a self-signed CA certificate using these commands:

openssl ecparam -out ca.key.pem -name prime256v1 -genkey
openssl req -new -subj “/C=IE/L=Dublin/O=ACME Ltd/OU=Testing/” -sha256 -key ca.key.pem -text -out ca.csr.tmpl
openssl x509 -in ca.csr.tmpl -text -out ca.crt.pem -req -signkey ca.key.pem

I am able to successfully generate a key using the mos tool with

mos --port ws://mydevice.local/rpc atca-gen-key 0 --dry-run=false

and that outputs a public ECC key, so the ATECC is working as expected

I then tried to use the atca-gen-cert command to generate a certificate using the self-signed CA cert, like this:

mos --port ws://mydevice.local/rpc atca-gen-cert 0 mydevice.crt.pem --dry-run=false --ca-cert-file ca.crt.pem --ca-key-file ca.key.pem --subject “/C=IE/L=Dublin/O=ACME Ltd/OU=Testing/

but this always outputs the error:

Error: /go/src/ unknown key format EC PARAMETERS in ca.key.pem

I’m guessing there is some way the CA needs to be configured to be compatible with the ATECC, but I’m not really sure what that would be.

Am I doing the right thing here? My assumption is that I’ll get a .crt file out of this process and that I can write the .crt to the device and follow the AWS provisioning process as per the security guide.


(I may be talking nonsense) IIRC the AWS tutorial generates a key file and later signs it with the Amazon CA to get the cert. Have you tried that ?


Yes, that is correct and I’m able to do that. In the example they use openssl to generate a key and write it to the ATECC. The key is then signed and then the cert can be uploaded to AWS. That is all working 100% for me.

I’m trying to generate a key within the ATECC (i.e. the private key ONLY lives on the ATECC and no one ever knows the private key), then obtain the signed public key. I can generate the key and it spits out the public key, but I’m having hassles with the mos command that is supposed to do the key generation and certificate generation in one step, i.e. the “atca-gen-cert” command


I think I’ve succeeded in getting to the outcome I was looking for.


mos aws-iot-setup --use-atca --aws-iot-policy=mos-default

appears to automatically generate a new key in slot 0. Part of the output of this command is:

Generating ECDSA private key

ATECC608A rev 0x6002 S/N 0x0123456789ABCDEeee, config is locked, data is locked

Generating new private key in slot 0
Generating certificate request, CN: mydevice
Signing with slot 0…

Asking AWS for a certificate…

It is now connected to AWS and sending data over MQTT, and from what I can see this was done by generating a new private key within the ATECC.