Set command

The set command is used for credential storage management. The command writes, reads, deletes, and checks the existence of keys and certificates. The keys and certificates are updated directly to Non-volatile Memory (NVM) when the set command is issued.

The write and delete operations are allowed only when the modem is not activated.

Syntax:

%CMNG=<opcode>[,<sec_tag>[,<type>[,<content>[,<passwd>]]]]

Response syntax for read operation:

%CMNG: <sec_tag>,<type>[,<sha>[,<content>]]
Response syntax for list operation:
%CMNG: <sec_tag>,<type>[,<sha>]

<sec_tag> <type> shall be a unique pair, no multiple items with the same <sec_tag> and <type> values are allowed.

+CME ERROR codes
513 – Not found. Applies to read, write, and delete.
514 – No access. Applies to read, write, and delete.
515 – Memory full. Applies to write.
518 – Not allowed in active state.

The set command parameters and their defined values are the following:

<opcode>
0 – Write
1 – List
2 – Read
3 – Delete
<sec_tag>
Integer, 0–2147483647.
Mandatory for write, read, and delete operations. Optional for list operation.
Values above 2147483647 are reserved for the modem. <sec_tag>s with values above 2147483647 might be visible in the %CMNG list command.
<type>v1.0.xv1.1.xv1.2.x
0 – Root CA certificate (ASCII text)
1 – Client certificate (ASCII text)
2 – Client private key (ASCII text)
3 – Pre-shared Key (PSK) (ASCII text in hexadecimal string format)
4 – PSK identity (ASCII text)
5 – Public key (ASCII text)
6 – Reserved
Mandatory if <opcode> is write, read, or delete. Parameter <type> with the value Public Key can be used only when parameter <opcode> is delete.
<type>v1.3.x
0 – Root CA certificate (ASCII text).
1 – Client certificate (ASCII text).
2 – Client private key (ASCII text).
3 – PSK (ASCII text in hexadecimal string format).
4 – PSK identity (ASCII text).
5 – Public key (ASCII text). Used in authenticated AT commands.
6 – Device identity public key.
7 – Reserved.
8 – Endorsement private key, public key for <opcode> 2 – read. Used for content encryption. See %KEYGEN and %KEYINJECT.
9 – Ownership key. Used for signature verification. See %KEYGEN and %KEYINJECT.
10 – Nordic identity root CA. Root CA for Nordic identity server.
11 – Nordic base public key. Used for ownership key provisioning message signature verification.
Mandatory if <opcode> is write, read, or delete. Parameter <type> with the value Public Key can be used only when parameter <opcode> is delete.
<content>
ASCII text in hexadecimal string format containing two International Reference Alphabet (IRA) characters per octet (PSK). Mandatory if <opcode> is write. An empty string is not allowed. A Privacy Enhanced Mail (PEM) file enclosed in double quotes (X.509 PEM entities).
<passwd>
String. PKCS#8 password. Mandatory for writing a type 2 encrypted private key, ignored for other types. Maximum length 32 characters.
Not supported in current modem firmware versions.
<sha>
String in hexadecimal format. SHA-256 digest of the entity (DER, PEM) as stored in the filesystem. 64 characters representing a 256-bit vector.
Not supported in current modem firmware versions.
Note:
  • <content> in the read response is exactly what is written, including <CR>, <LF>, and other characters. The characters outside the double quotes are part of the AT response format.
  • Reading types 1, 2, 3, and 10 are not supported.
  • Writing and deleting types 8, 10, and 11 are not supported.
  • Overwriting and deleting type 9 is not supported.

The following command example writes the root certificate:

AT%CMNG=0, 12345678, 0,"
-----BEGIN CERTIFICATE-----
MIIDSjCCA...
...bKbYK7p2CNTUQ
-----END CERTIFICATE-----”
OK

The following command example writes the client certificate:

AT%CMNG=0,567890,1,"
-----BEGIN CERTIFICATE-----
MIIBc464...
...bW9aAa4
-----END CERTIFICATE-----”
OK

The following command example writes the private key:

AT%CMNG=0,123,2,"
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICz...
...ukBu
-----END ENCRYPTED PRIVATE KEY-----”, ”abcdefg”
OK

The following command example lists a single item by specifying tag and type:

AT%CMNG=1,12345678, 0
%CMNG: 12345678, 0, "978C...02C4"
OK

The following command example lists a single tag:

AT%CMNG=1,12345678
%CMNG: 12345678, 0, "978C...02C4"
%CMNG: 12345678, 1, "1A8C...02BB"
OK

The following command example lists all stored credentials:

AT%CMNG=1
%CMNG: 12345678, 0, "978C...02C4"
%CMNG: 567890, 1, "C485...CF09"
%CMNG: 123, 2, "92E1...8AC8"
%CMNG: 654321, 3, "E0C9...511D"
OK

The following command example reads the root certificate with tag 12345678:

AT%CMNG=2, 12345678, 0
%CMNG: 12345678, 0, "978C...02C4",
"-----BEGIN CERTIFICATE-----
MIIBc464...
...bW9aAa4
-----END CERTIFICATE-----"
OK

The following command example deletes a client certificate with tag 123:

AT%CMNG=3,123,1
OK

The following command example reads a non-existing root certificate with tag 4567. Error code 513 is returned:

AT%CMNG=2,4567,0
+CME ERROR: 513