I'm following the instructions in this tutorial to connect an MKR NB 1500 to AWS. There is a section about configuring the certificate using the ECCX08CSR sketch to generate a certificate and it notes:
NOTE: This locking process is permanent and irreversible, but is needed to use the the crypto element - the configuration the sketch sets allows to use 5 private key slots with any Cloud provider (or server) and a CSR can be regenerated any time for each of the other four slots.
I'm a bit confused by the language, as it seems contradictory that it says this is "permanent and irreversible" but also says that you regenerate a CSR for any of the other slots.
There are two other similar tutorials (here and here) that state the above disclaimer slightly differently, stating:
a private keycan be regenerated any time for any of the 5 private key slots (0 - 4)
I have not kept track of which slots I've assigned keys to (something I'll do a better job of in the future), and now I'm having trouble connecting to AWS (which I've done successfully before). I'm wondering if it's because I may have tried to generate a key in a slot that I've already used and cannot be overwritten.
Can anyone provide any clarification or know any way to check which crypto slots have been written to? Thanks!
The crypto module will create its internal keys - private asymmetric (rsa or ecc) and symmetric (used for symmetric encryption, e. g. aes,..). Once the keys are created, the module is locked, the key cannot be changed . It is for your ensurance that nobody else had access to your keys and counter, not even the manufacturer.
CSR (certificate signing request) means, that you can request signing the request (providing a certificate) from different providers (e. g. aws iot, azure,.. ) or multiple times reusing the same private key if need to be. The signed certificate is public and may be part of the program or stored in the eeprom.
Not sure if that answers your question or if there's something not clear
I think I am clear, but just to be sure- Once an internal key is generated in a given slot (let's say slot 0 in this example), slot 0 is permanently locked with that key. That key can be used to generate any number of CSRs through various cloud providers.
My other question is, once slot 0 is locked, can I still use slots 1-4 to generate additional internal keys?