Skip to main content


DigiCert® NanoSSL is a TLS/SSL solution specifically designed to speed product development while providing device security services for resource-constrained environments. With the Internet of Things (IoT), several types of network-connected devices need secured management access to transport data securely over the unsecured Internet.

TLS/SSL (Transport Layer Security/Secure Sockets Layer) authenticates endpoints and encrypts channels to provide session privacy and security on the Internet. SSL operates at the transport layer in the OSI stack and provides secured data transport to applications. It supports peer negotiation for algorithm selection, public key-based exchange of secret session keys, and X.509 certificates.

NanoSSL provides easy-to-use APIs for integration with applications like web servers and browsers. Its certificate management module allows it to fetch or renew SSL certificates, check the status of SSL certificates using CRLs, or to query a Certificate Authority (CA) or certificate chain.

NanoSSL also supports NSA Suite B crypto algorithms to provide a holistic approach for securing networked devices and services, ideally suited for high-traffic enterprise and federal environments where performance is critical. Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS).

Key features

DigiCert NanoSSL provides the following features:

  • Small memory footprint

  • Accelerates integration and testing of complex cryptographic functions for your product

  • FIPS 140-2/3 Level 1 validated (optional)

  • Integration with the Enrollment over Secure Transport (RFC-7030)

  • TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 compliant

  • OpenSSL Connector for migration from open source with API level equivalency (with turnkey professional services)

  • Operators for hardware acceleration

  • Crypto abstraction platform for compliance with export/import controls

  • SSLv3 (RFC 7568) compliant

  • SSLv3 is disabled by default in NanoSSL but can be enabled if necessary to support communication with legacy applications that require SSLv3

  • TCP/IP-neutral

  • Pre-shared keys

  • SSL alerts

  • Support for TLS server name extension (RFC 6066)

  • Support for mutual authentication

  • Support for DTLS 1.2 and 1.3

  • Support for PKCS#8 and PKCS#12 certificate formats

  • Support for TPM-generated keys

  • OS- and platform-agnostic for easy portability

  • Threadless architecture, synchronous and asynchronous

  • Guaranteed GPL-free code protects your intellectual property

System requirements

Memory requirements

NanoSSL has a minimum memory footprint of 156KB.[1]

Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.

Supported operating systems

NanoSSL is currently supported on the following operating systems:

  • Linux (Ubuntu, Debian, Raspbian, CentOS)

  • Solaris

  • Microsoft® Windows

  • Cygwin

  • FreeBSD

  • QNX

  • FreeRTOS

  • VxWorks

  • ThreadX


DigiCert can provide a guide to assist with porting to another operating system or RTOS. To learn more, contact your DigiCert account representative.

Supported operating platforms

NanoSSL is currently supported on the following operating platforms:

  • Intel® x86

  • ARM Cortex

  • Hardware Acceleration - Intel AES-NI, Vendor Extensions via NanoCrypto Callbacks

  • Secure Element - TPM 1.2, TPM 2.0, ARM TrustZone, PKCS11

  • VxWorks 6.9 and 7.0 Workbench IDE

  • OPC-UA HP SDK for Linux and Windows platforms

OpenSSL compatibility

TrustCore SDK makes it easy to replace the OpenSSL SSL and crypto library with a shim that uses the NanoSSL and NanoCrypto implementation, so you don't have to change your application calls. To learn more about replacing OpenSSL with NanoSSL, refer to About DigiCert OpenSSL Connector provided by DigiCert.

Supported standards

DigiCert NanoSSL supports the following standards:

  • RFC 2246: TLS Protocol Version 1.0

  • RFC 3268: Advanced Encryption Standard (AES) Cipher suites for TLS

  • RFC 6066: Transport Layer Security (TLS) Extensions

  • RFC 4279: Pre-shared Key Cipher suites for TLS

  • RFC 4346: TLS Protocol Version 1.1

  • RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security

  • RFC 5077: Transport Layer Security (TLS) Session Resumption without Server-Side State

  • RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2

  • RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (obsoletes RFC 3280)

  • RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS

  • RFC 5289: TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)

  • RFC 5430: Suite B Profile for Transport Layer Security (TLS)

  • RFC 5487: Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode

  • RFC 5489: ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)

  • RFC 5746: TLS Renegotiation Indication Extension

  • RFC 6066: Transport Layer Security (TLS) Extensions: Extension Definitions

  • RFC 6101: Secure Sockets Layer (SSL) Protocol Version 3.0

  • RFC 6520: Heartbeat Extension for TLS and DTLS.

  • RFC 6655: AES-CCM Cipher Suites for Transport Layer Security (TLS)

  • RFC 7251: AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS

  • RFC 7568: Deprecating Secure Sockets Layer Version 3.0

  • RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3

  • RFC 9146: The Datagram Transport Layer Security (DTLS) Protocol Version 1.3

FIPS and Suite B support

Network diagram

This figure shows how NanoSSL is implemented in a network to securely transfer information between a server and connected devices.

Figure 1. NanoSSL Network Diagram
NanoSSL Network Diagram

[1] Estimate based on Intel x86 builds.