# Create a code-signing certificate
To digitally sign firmware images, you need a code-signing certificate and private key. For testing purposes, you can create a self‐signed certificate and private key. For production environments, purchase a certificate through a well‐known certificate authority (CA).
Different platforms require different types of code-signing certificates. The following sections describe how to create code-signing certificates for different FreeRTOS-qualified platforms.
**Topics**
+ [
# Creating a code-signing certificate for the Texas Instruments CC3220SF-LAUNCHXL
](ota-code-sign-cert-ti.md)
+ [
# Creating a code-signing certificate for the Espressif ESP32
](ota-code-sign-cert-esp.md)
+ [
# Creating a code-signing certificate for the Nordic nrf52840-dk
](ota-code-sign-cert-nordic.md)
+ [
# Creating a code-signing certificate for the FreeRTOS Windows simulator
](ota-code-sign-cert-win.md)
+ [
# Creating a code-signing certificate for custom hardware
](ota-code-sign-cert-other.md)
# Creating a code-signing certificate for the Texas Instruments CC3220SF-LAUNCHXL
**Important**
This reference integration is hosted on the Amazon-FreeRTOS repository which is deprecated. We recommend that you [start here](freertos-getting-started-modular.md) when you create a new project. If you already have an existing FreeRTOS project based on the now deprecated Amazon-FreeRTOS repository, see the [Amazon-FreeRTOS Github Repository Migration Guide](github-repo-migration.md).
The SimpleLink Wi-Fi CC3220SF Wireless Microcontroller Launchpad Development Kit supports two certificate chains for firmware code signing:
+ Production (certificate-catalog)
To use the production certificate chain, you must purchase a commercial code-signing certificate and use the [TI Uniflash tool](http://www.ti.com/tool/UNIFLASH) to set the board to production mode.
+ Testing and development (certificate-playground)
The playground certificate chain allows you to try out OTA updates with a self‐signed code-signing certificate.
Use the AWS Command Line Interface to import your code-signing certificate, private key, and certificate chain into AWS Certificate Manager. For more information see [ Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) in the *AWS Command Line Interface User Guide*.
Download and install the latest version of [SimpleLink CC3220 SDK](http://www.ti.com/tool/download/SIMPLELINK-CC3220-SDK). By default, the files you need are located here:
`C:\ti\simplelink_cc32xx_sdk_version\tools\cc32xx_tools\certificate-playground` (Windows)
`/Applications/Ti/simplelink_cc32xx_version/tools/cc32xx_tools/certificate-playground` (macOS)
The certificates in the SimpleLink CC3220 SDK are in DER format. To create a self‐signed code-signing certificate, you must convert them to PEM format.
Follow these steps to create a code-signing certificate that is linked to the Texas Instruments playground certificate hierarchy and meets AWS Certificate Manager and Code Signing for AWS IoT criteria.
**Note**
To create a code signing certificate, install [ OpenSSL](https://www.openssl.org/) on your machine. After you install OpenSSL, make sure that `openssl` is assigned to the OpenSSL executable in your command prompt or terminal environment.
**To create a self‐signed code signing certificate**
1. Open a command prompt or terminal with administrator permissions.
1. In your working directory, use the following text to create a file named `cert_config.txt`. Replace *test\$1signer@amazon.com* with your email address.
```
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
commonName = test_signer@amazon.com
[ my_exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
```
1. Create a private key and certificate signing request (CSR):
```
openssl req -config cert_config.txt -extensions my_exts -nodes -days 365 -newkey rsa:2048 -keyout tisigner.key -out tisigner.csr
```
1. Convert the Texas Instruments playground root CA private key from DER format to PEM format.
The TI playground root CA private key is located here:
`C:\ti\simplelink_cc32xx_sdk_version\tools\cc32xx_tools\certificate-playground\dummy-root-ca-cert-key` (Windows)
`/Applications/Ti/simplelink_cc32xx_sdk_version/tools/cc32xx_tools/certificate-playground/dummy-root-ca-cert-key` (macOS)
```
openssl rsa -inform DER -in dummy-root-ca-cert-key -out dummy-root-ca-cert-key.pem
```
1. Convert the Texas Instruments playground root CA certificate from DER format to PEM format.
The TI playground root certificate is located here:
`C:\ti\simplelink_cc32xx_sdk_version\tools\cc32xx_tools\certificate-playground/dummy-root-ca-cert` (Windows)
`/Applications/Ti/simplelink_cc32xx_sdk_version/tools/cc32xx_tools/certificate-playground/dummy-root-ca-cert` (macOS)
```
openssl x509 -inform DER -in dummy-root-ca-cert -out dummy-root-ca-cert.pem
```
1. Sign the CSR with the Texas Instruments root CA:
```
openssl x509 -extfile cert_config.txt -extensions my_exts -req -days 365 -in tisigner.csr -CA dummy-root-ca-cert.pem -CAkey dummy-root-ca-cert-key.pem -set_serial 01 -out tisigner.crt.pem -sha1
```
1. Convert your code-signing certificate (`tisigner.crt.pem`) to DER format:
```
openssl x509 -in tisigner.crt.pem -out tisigner.crt.der -outform DER
```
**Note**
You write the `tisigner.crt.der` certificate onto the TI development board later.
1. Import the code-signing certificate, private key, and certificate chain into AWS Certificate Manager:
```
aws acm import-certificate --certificate fileb://tisigner.crt.pem --private-key fileb://tisigner.key --certificate-chain fileb://dummy-root-ca-cert.pem
```
This command displays an ARN for your certificate. You need this ARN when you create an OTA update job.
**Note**
This step is written with the assumption that you are going to use Code Signing for AWS IoT to sign your firmware images. Although the use of Code Signing for AWS IoT is recommended, you can sign your firmware images manually.
# Creating a code-signing certificate for the Espressif ESP32
**Important**
This reference integration is hosted on the Amazon-FreeRTOS repository which is deprecated. We recommend that you [start here](freertos-getting-started-modular.md) when you create a new project. If you already have an existing FreeRTOS project based on the now deprecated Amazon-FreeRTOS repository, see the [Amazon-FreeRTOS Github Repository Migration Guide](github-repo-migration.md).
The Espressif ESP32 boards support a self-signed SHA-256 with ECDSA code-signing certificate.
**Note**
To create a code signing certificate, install [ OpenSSL](https://www.openssl.org/) on your machine. After you install OpenSSL, make sure that `openssl` is assigned to the OpenSSL executable in your command prompt or terminal environment.
Use the AWS Command Line Interface to import your code-signing certificate, private key, and certificate chain into AWS Certificate Manager. For information about installing the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).
1. In your working directory, use the following text to create a file named `cert_config.txt`. Replace *test\$1signer@amazon.com* with your email address:
```
[ req ]
prompt = no
distinguished_name = my_dn
[ my_dn ]
commonName = test_signer@amazon.com
[ my_exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
```
1. Create an ECDSA code-signing private key:
```
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -outform PEM -out ecdsasigner.key
```
1. Create an ECDSA code-signing certificate:
```
openssl req -new -x509 -config cert_config.txt -extensions my_exts -nodes -days 365 -key ecdsasigner.key -out ecdsasigner.crt
```
1. Import the code-signing certificate, private key, and certificate chain into AWS Certificate Manager:
```
aws acm import-certificate --certificate fileb://ecdsasigner.crt --private-key fileb://ecdsasigner.key
```
This command displays an ARN for your certificate. You need this ARN when you create an OTA update job.
**Note**
This step is written with the assumption that you are going to use Code Signing for AWS IoT to sign your firmware images. Although the use of Code Signing for AWS IoT is recommended, you can sign your firmware images manually.
# Creating a code-signing certificate for the Nordic nrf52840-dk
**Important**
This reference integration is hosted on the Amazon-FreeRTOS repository which is deprecated. We recommend that you [start here](freertos-getting-started-modular.md) when you create a new project. If you already have an existing FreeRTOS project based on the now deprecated Amazon-FreeRTOS repository, see the [Amazon-FreeRTOS Github Repository Migration Guide](github-repo-migration.md).
The Nordic nrf52840-dk supports a self-signed SHA256 with ECDSA code-signing certificate.
**Note**
To create a code signing certificate, install [OpenSSL](https://www.openssl.org/) on your machine. After you install OpenSSL, make sure that `openssl` is assigned to the OpenSSL executable in your command prompt or terminal environment.
Use the AWS Command Line Interface to import your code-signing certificate, private key, and certificate chain into AWS Certificate Manager. For information about installing the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).
1. In your working directory, use the following text to create a file named `cert_config.txt`. Replace *test\$1signer@amazon.com* with your email address:
```
[ req ]
prompt = no
distinguished_name = my_dn
[ my_dn ]
commonName = test_signer@amazon.com
[ my_exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
```
1. Create an ECDSA code-signing private key:
```
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -outform PEM -out ecdsasigner.key
```
1. Create an ECDSA code-signing certificate:
```
openssl req -new -x509 -config cert_config.txt -extensions my_exts -nodes -days 365 -key ecdsasigner.key -out ecdsasigner.crt
```
1. Import the code-signing certificate, private key, and certificate chain into AWS Certificate Manager:
```
aws acm import-certificate --certificate fileb://ecdsasigner.crt --private-key fileb://ecdsasigner.key
```
This command displays an ARN for your certificate. You need this ARN when you create an OTA update job.
**Note**
This step is written with the assumption that you are going to use Code Signing for AWS IoT to sign your firmware images. Although the use of Code Signing for AWS IoT is recommended, you can sign your firmware images manually.
# Creating a code-signing certificate for the FreeRTOS Windows simulator
The FreeRTOS Windows simulator requires a code-signing certificate with an ECDSA P-256 key and SHA-256 hash to perform OTA updates. If you don't have a code-signing certificate, follow these steps to create one.
**Note**
To create a code-signing certificate, install [ OpenSSL](https://www.openssl.org/) on your machine. After you install OpenSSL, make sure that `openssl` is assigned to the OpenSSL executable in your command prompt or terminal environment.
Use the AWS Command Line Interface to import your code-signing certificate, private key, and certificate chain into AWS Certificate Manager. For information about installing the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).
1. In your working directory, use the following text to create a file named `cert_config.txt`. Replace *test\$1signer@amazon.com* with your email address:
```
[ req ]
prompt = no
distinguished_name = my_dn
[ my_dn ]
commonName = test_signer@amazon.com
[ my_exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
```
1. Create an ECDSA code-signing private key:
```
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -outform PEM -out ecdsasigner.key
```
1. Create an ECDSA code-signing certificate:
```
openssl req -new -x509 -config cert_config.txt -extensions my_exts -nodes -days 365 -key ecdsasigner.key -out ecdsasigner.crt
```
1. Import the code-signing certificate, private key, and certificate chain into AWS Certificate Manager:
```
aws acm import-certificate --certificate fileb://ecdsasigner.crt --private-key fileb://ecdsasigner.key
```
This command displays an ARN for your certificate. You need this ARN when you create an OTA update job.
**Note**
This step is written with the assumption that you are going to use Code Signing for AWS IoT to sign your firmware images. Although the use of Code Signing for AWS IoT is recommended, you can sign your firmware images manually.
# Creating a code-signing certificate for custom hardware
Using an appropriate toolset, create a self-signed certificate and private key for your hardware.
Use the AWS Command Line Interface to import your code-signing certificate, private key, and certificate chain into AWS Certificate Manager. For information about installing the AWS CLI, see [ Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html).
After you create your code-signing certificate, you can use the AWS CLI to import it into ACM:
```
aws acm import-certificate --certificate fileb://code-sign.crt --private-key fileb://code-sign.key
```
The output from this command displays an ARN for your certificate. You need this ARN when you create an OTA update job.
ACM requires certificates to use specific algorithms and key sizes. For more information, see [Prerequisites for Importing Certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html). For more information about ACM, see [Importing Certificates into AWS Certificate Manager](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html).
You must copy, paste, and format the contents of your code-signing certificate into the `vendors/vendor/boards/board/aws_demos/config_files/ota_demo_config.h` file that is part of the FreeRTOS code you download later.