Loading a Root CA on HL7800 with AT+KCERTSTORE

Hi Sierra!

I’ve started working with a HL7800 and need to load the root CA from api.sandbox.ewaypayments.com.

So I headed over to ssltools.com and downloaded the ascii PEM file for api.sandbox.ewaypayments.com, shown in the output below. The AT command interaction is achieved with a little python script.

The key command I’m getting stuck on is AT+KCERTSTORE=0,1316,0

Now the 1316 represents the length of the certificate and I suspect this is what I’m getting wrong. I’m not sure whether to include carriage returns or the begin/end certificate text in the length either. I’ve tried all sorts of combinations with no success. I’m not sure if I should also include an end of file +++ either? and if so do I include the length of that?

Anyway, if anyone is able to get success loading this root ca I will be extremely grateful!!!

Thanks in advance, output of my script is below showing the error.

Cheers

ATI
HL7800
OK

------------> COM PORT OK

AT+CPIN?
+CPIN: READY
OK

------------> SIM OK

AT+CGATT?
+CGATT: 1
OK

------------> GPRS OK

AT+KCGPADDR=?
+KCGPADDR: (1-2)
OK

------------> NETWORK OK

AT+CCLK?
+CCLK: "19/11/30,11:00:26+44"
OK

------------> TIME OK

AT+CMEE=1
OK


AT+CMEE?
+CMEE: 1
OK


AT&K3
OK


AT+CGATT=0


AT+KCNXCFG=1,"GPRS","telstra.wap"
OK
OK
+KCNX_IND: 1,0,0


AT+KCNXUP=1
OK
+KCNX_IND: 1,4,1


AT+KCNXCFG?
+KCNXCFG: 1,"GPRS","telstra.wap","","","IPV4","0.0.0.0","0.0.0.0","0.0.0.0",2
OK


AT+KSSLCFG=0,0
OK


AT+KCERTSTORE=0,1314,0
CONNECT


-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----

ERROR


AT+KCERTSTORE?
CONNECT
root_cert,0,0
local_cert,0,0
local_cert,1,0
local_cert,2,0
OK

Hi,

The length (Number of bytes) of this certificate is 1294. You don’t need to include an end of file +++ either.

You can try loading the root CA with these steps as below.

I have attached the log file for your reference. KCERTSTORE.txt (6.7 KB)

AT&K3

OK

(11:04:28:876) Snd COM24 [AT+KCERTSTORE=0,1294,0]

Loading a Root CA

(11:04:28:892) Rcv COM24 [CONNECT] @ 1<5000 ms

(11:04:29:171) Snd COM24 [-----BEGIN CERTIFICATE-----MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQq2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5WztCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQvIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NGFdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ918rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTepLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTflMrY=-----END CERTIFICATE-----]

(11:04:29:297) Rcv COM24 [OK] @ 118<3000 ms

Thanks Donald!

I think there must be something else weird going on here since it is not working for me with that length either.

Did you remove any carriage returns from the certificate?

It’s really weird, when I paste the content of the cert in the terminal it does nothing until I paste again, then its whinges about length. When I use my script to do it, it just says ERROR.

Hmmm

ATI
HL7800
OK

------------> COM PORT OK

AT+CPIN?
+CPIN: READY
OK

------------> SIM OK

AT+CGATT?
+CGATT: 1
OK

------------> GPRS OK

AT+KCGPADDR=?
+KCGPADDR: (1-2)
OK

------------> NETWORK OK

AT+CCLK?
+CCLK: "19/12/02,16:02:47+44"
OK

------------> TIME OK

AT+CMEE=1
OK


AT+CMEE?
+CMEE: 1
OK


AT&K3
OK


AT+CGATT=0


AT+KCNXCFG=1,"GPRS","telstra.wap"
OK


AT+KCNXUP=1
OK
+KCNX_IND: 1,4,1


AT+KCNXCFG?
+KCNXCFG: 1,"GPRS","telstra.wap","","","IPV4","0.0.0.0","0.0.0.0","0.0.0.0",2
OK


AT+KSSLCFG=0,0
OK


AT+KCERTSTORE=0,1294,0
CONNECT


-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----

ERROR


AT+KCERTSTORE?
CONNECT
root_cert,0,0
local_cert,0,0
local_cert,1,0
local_cert,2,0
OK

Hi @timroadley

Did you remove any carriage returns from the certificate?
–>No, I did not.

Which software tool are you using to load a root CA? You should enable “Hardware flow control” on software tool and HL7800 module (AT&K3) before loaded a root CA into module.
I use Autopilot tool to send DigiCert Global Root G2.crt file to HL7800 module.

Please find the screenshot for your reference.

Hi Donald,

Oh interesting, where did you get the autoPilot tool from?

I really need this to work completely scripted, since the code will end up in an IoT device. At least autopilot should help prove that the process is working and then I just need to work out what the difference between sending commands and sending files is.

Cheers

Hi timroadley,

Which firmware version are you using ?
For autoPilot tool, it is a software tool of Sierra Wireless. So I cannot share this externally.
You can also use Tera Term VT tool to send DigiCert Global Root G2.crt file to HL7800 module.

Note: You should enable “Hardware flow control” on software tool and HL7800 module (AT&K3) before loaded a root CA into module.


Hi Donald,

I’ve been using both tera term and python to interact with the modem and I had not enabled hardware flow control in tera term (silly me) even though I was using AT&K3.

I’ve managed to get the certificate to load with tera term, so that’s a great step forward!

My challenge now is to work out why it’s not working in python. Pyserial doesn’t seem to have a way to enable just ‘hardware’ flow control, and instead I must enable more specific things like rtscts or dsrdtr instead.

I’ve tried…

  1. rtscts=False, dsrdtr=False
  2. rtscts=True, dsrdtr=False
  3. rtscts=False, dsrdtr=True
  4. rtscts=True, dsrdtr=True

…all with the same result … a non descript ERROR

I expected option 4 above meant ‘hardware’ flow control on, still no luck though.

The pyserial output is as follows before I interact with the modem:

Serial<id=0x38efc10, open=True>(port='COM19', baudrate=115200, bytesize=8, parity='N', stopbits=1, timeout=0.5, xonxoff=False, rtscts=True, dsrdtr=True)

Anyway, I’ll keep trying and hopefully I can work out why it works in teraterm and not python

Thanks for your help!

Cheers

Oh sorry, I’m using firmware BHL7800.3.4.1.0.20190425

Just closing the loop on this one, the issue was with enabling hardware flow control in python

This is the final pyserial config that worked to enable hardware flow control. Basically DSR/DTR is not required and RTS/CTS is required. Also use 0 and 1 instead of True of False.

ser = serial.Serial(port=PORT, baudrate=115200, bytesize=8, parity='N', stopbits=1, rtscts=1, dsrdtr=0, xonxoff=0, timeout=5.0)