Skip to main content
E
Eliasvan
Associate II
August 27, 2025
Solved

Debug Authentication Certificate Validity Period for STM32H7S3

  • August 27, 2025
  • 4 replies
  • 471 views

Dear,

I am writing to inquire about the inclusion of a validity period in the debug authentication certificates used with the STM32H7S3 microcontroller.

My project requires that the debug access certificates I provision have a limited, defined lifespan to align with security policies. I am currently using the latest versions of STM32TrustedPackageCreator (v2.20.0) and PSA_ADAC (v0.2.0) to generate these certificates.

I have reviewed the documentation for both tools and have not found a user-configurable option to specify a notAfter (as is available for X.509) or expiration date for the generated ADAC certificates.

Could someone please clarify the following:

  1. Is it possible to generate ARM ADAC certificates with a defined validity period using any publicly available tools?

  2. If not, is there a different process, tool, or service that would allow me to create such certificates?

  3. Are the certificates generated by the public tools created with a fixed, pre-defined validity period?

Thank you very much!

Best answer by Jocelyn RICARD

Hello @Eliasvan ,

There is currently no way to manage the validity period of the certificate.

The point here is that this validity date would need to be checked on the STM32H7S target.

As there is no way to ensure a trusted date on the microcontroller, this would be useless.

2 remarks

1- The certificate alone is not enough to reopen a device. You need access to the associated private key.

2- You can limit the certificate usage to only one target by including its UID.

Best regards

Jocelyn

 

4 replies

Jocelyn RICARD
Jocelyn RICARDBest answer
ST Employee
August 27, 2025

Hello @Eliasvan ,

There is currently no way to manage the validity period of the certificate.

The point here is that this validity date would need to be checked on the STM32H7S target.

As there is no way to ensure a trusted date on the microcontroller, this would be useless.

2 remarks

1- The certificate alone is not enough to reopen a device. You need access to the associated private key.

2- You can limit the certificate usage to only one target by including its UID.

Best regards

Jocelyn

 

    E
    EliasvanAuthor
    Associate II
    September 4, 2025

    What is the ST-recommended way to perform your 2nd remark "You can limit the certificate usage to only one target by including its UID"?

    Is the recommended way to set the Root.soc_id.Hidden property from 1 to 0 in the "STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/TPC_CertifGen_Data_Base/STM32_CertifGen_DB_0x485.xml" file before launching "STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32TrustedPackageCreator" and setting the soc_id field in the certificate creation GUI to the little endian 96-bit unique device ID as found at 0x08FF_F800?

    E
    EliasvanAuthor
    Associate II
    August 28, 2025

    Thank you very much Jocelyn!

     

    Best regards,
    Elias

    Jocelyn RICARD
    Jocelyn RICARD
    ST Employee
    September 4, 2025

    Hello @Eliasvan ,

    Yes this is basically what you need to do.

    There is this wiki page related to STM32H5 that should work the same way with STM32H7S

    Best regards

    Jocelyn

      E
      EliasvanAuthor
      Associate II
      September 4, 2025

      Thanks!

      And for a command-line version I suppose the ST-provided "PSA_ADAC" utility with subcommand "sign" can be used with the "ConfigGenCertifDA.yml" as input (followed by subcommand "chain" to create chains). :)

      Jocelyn RICARD
      Jocelyn RICARD
      ST Employee
      September 10, 2025

      Yes, this is the tool used by TPC.

      You can get the yml file used in in last command here <user>\STMicroelectronics\STM32CubeProgrammer\ConfigGenCertifDA.yml

      Terms & ConditionsAccessibility statement