NXP Semiconductors
AN13500
EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device
authentication
2 Certificate chain of trust
IoT requires each device to possess a unique identity. For certificate-based
authentication scheme, the identity is made of:
•
Device certificate
•
Device key pair
The digital certificate binds an identity with a public key. Digital certificates are verified
using a chain of trust. The certificate chain of trust is a structure of certificates that enable
the receiver to verity that the sender and all CA's are trustworthy. The trust anchor for the
digital certificate is the root CA.
Certificates are issued and signed by certificates that reside higher in the certificate
hierarchy, so the validity and trustworthiness of a given certificate is determined by the
corresponding validity of the certificate that signed it. The certificate chain of trust results
in a root CA signing an intermediate CA that in turn signs a leaf certificate as shown in
Verify Signature
Sign
Owner‘s name
Leaf
certificate
Owner‘s public key
Issuer‘s (CA) name
Issuer‘s (CA) signature
Owner‘s private key
Intermediate
certificate
Issuer‘s name
Issuer‘s public key
Root CA‘s name
Root CA signature
Issuer‘s private key
Root CA‘s name
Root
certificate
Root CA‘s public key
Root CA‘s signature
Root CA private key
Sign
Verify Signature
Reference
Reference
Self-Sign
Figure 2. Certificate chain of trust
IoT devices manufactured by the OEM should be equipped with a unique key pair and a
digital certificate signed by the OEM's CA certificate. The OEM's CA certificate is used to
sign all the certificates of the devices manufactured by the OEM. Precisely, this signature
provides the means to verify the validity of device certificates in the field (
AN13500
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2022. All rights reserved.
Application note
Rev. 1.0 — 28 March 2022
4 / 45
