feat: support provisioning server cert

Signed-off-by: Maximilian Deubel <maximilian.deubel@nordicsemi.no>

Author: maxd-nordic

src/nrfcloud_utils/claim_and_provision_device.py

@@ -77,9 +77,6 @@ def parse_args(in_args):
     parser.add_argument("--csr-attr", type=str,
                         help="CSR attributes. Do not include CN (common name), the device ID will be used",
                         default="")
-    parser.add_argument("--install-ca",
-                        help="Install the AWS root CA cert",
-                        action='store_true', default=False)
     parser.add_argument("--coap",
                         help="Install the CoAP server root CA cert in addition to the AWS root CA cert",
                         action='store_true', default=False)
@@ -333,10 +330,6 @@ def main(in_args):
     if not retval:
         error_exit(ser, 'Unable to communicate')
 
-    # write CA cert(s) to modem
-    if args.install_ca or args.coap:
-            install_ca_certs(args.sectag, args.stage, args.coap, args.noshell)
-
     attest_tok = args.attest
     if not attest_tok:
         # get attestation token
@@ -474,9 +467,15 @@ def main(in_args):
     if not prov_id:
         error_exit(ser, 'Failed to obtain provisioning cmd ID')
 
-    # TODO: create provisioning command to install AWS root CA?
-    #       currently, provisioning client does not support large CAs,
-    #       such as the AWS root CA.
+    # create provisioning command to install server cert
+    print(local_style('\nCreating provisioning command (server cert)...'))
+    server_cert = ca_certs.get_ca_certs(args.coap, args.stage)
+    api_res = nrf_cloud_diap.create_provisioning_cmd_server_cert(args.api_key, dev_uuid,
+                                                                 server_cert,
+                                                                 sec_tag=args.sectag)
+    nrf_cloud_diap.print_api_result("Prov cmd client cert response", api_res, args.verbose)
+    if api_res.status_code != 201:
+        error_exit(ser, 'CreateDeviceProvisioningCommand API call failed')
 
     # create provisioning finished command
     print(local_style('\nCreating provisioning command (finished)...'))

src/nrfcloud_utils/nrf_cloud_diap.py

@@ -70,9 +70,8 @@ def get_create_prov_cmd_req(dev_uuid):
     global api_url
     return f'{api_url}{CLAIMED_DEV}/{dev_uuid}/{PROV}'
 
-def create_provisioning_cmd_client_cert(api_key, dev_uuid, cert_pem,
-                                        description='Update client cert',
-                                        sec_tag=16842753):
+def create_provisioning_cmd_cert(api_key, dev_uuid, cert_pem, description, cert_type,
+                                 sec_tag=16842753):
     global api_url
 
     payload = {}
@@ -84,13 +83,27 @@ def create_provisioning_cmd_client_cert(api_key, dev_uuid, cert_pem,
     cert_obj['content'] = cert_pem
     cert_obj['secTag'] = sec_tag
 
-    request['clientCertificate'] = cert_obj
+    request[cert_type] = cert_obj
 
     payload['description'] = description
     payload['request'] = request
 
     return requests.post(req, json=payload, headers=get_auth_header(api_key))
 
+def create_provisioning_cmd_client_cert(api_key, dev_uuid, cert_pem,
+                                        description='Update client cert',
+                                        sec_tag=16842753):
+    return create_provisioning_cmd_cert(api_key, dev_uuid, cert_pem,
+                                        description, 'clientCertificate',
+                                        sec_tag)
+
+def create_provisioning_cmd_server_cert(api_key, dev_uuid, cert_pem,
+                                        description='Update server cert',
+                                        sec_tag=16842753):
+    return create_provisioning_cmd_cert(api_key, dev_uuid, cert_pem,
+                                        description, 'serverCertificate',
+                                        sec_tag)
+
 def create_provisioning_cmd_finished(api_key, dev_uuid, description='Provisioning complete'):
     global api_url