• State Verified Answer
  • Replies 8 replies
  • Subscribers 74 subscribers
  • Views 1594 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 318341
Options

nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

E_Kan

nRF7002 Azure IoT Hub,  CA authentication Fail or TLS Connect Fail Error (-22, -116)

What is mean?

The Azure IoT Hub library requires provisioning of the following certificates and a private key for a successful TLS connection:

  1. Baltimore CyberTrust Root Certificate - Server certificate, used to verify the server’s certificate while connecting.

  2. Public device certificate - generated by the procedures described in Creating Azure IoT Hub certificates , used by Azure IoT Hub to authenticate the device.

  3. Private key of the device.

Hello Nordic ? 

Does this guide tell you to copy/paste the Baltimore CyberTrust Root Certificate file into the ca-cert.pem file in the certs folder of the "Azure IoT Hub" sample?

So, what file should I upload to the Certificates section in Azure IoT Hub?

The MS guide tells me to upload the pem file created through rootca, but I'm confused about what to do.

Also, since the Baltimore CyberTrust Root Certificate certificate has expired, there is a guide to change it to a G2 certificate.


As of November 23, this part needs to be updated on what to do.

I've been stuck on this part for a few days.

Please provide guidance or comments.

thank you

  • 0

    Hi,

    Does this guide tell you to copy/paste the Baltimore CyberTrust Root Certificate file into the ca-cert.pem file in the certs folder of the "Azure IoT Hub" sample?

    Which guide? Do you have a link to it?

    Does this guide tell you to copy/paste the Baltimore CyberTrust Root Certificate file into the ca-cert.pem file in the certs folder of the "Azure IoT Hub" sample?

    So, what file should I upload to the Certificates section in Azure IoT Hub?

    See  nRF Cloud Access Provisioning . This is for nRF Cloud, but the certificate distribution should be the same for Azure as well.
    Do you find what you look for here?

    Also, since the Baltimore CyberTrust Root Certificate certificate has expired, there is a guide to change it to a G2 certificate.

    When i download the Baltimore CuberTrust Root Certificate, it seems like it does not expire until 2025:

    Regards,
    Sigurd Hellesvik

  • 0

    Thank you for quick response. GrinningThumbsup

    If you look at the Azure IoT Hub guide source code, there are ca-cert.pem, client.pem, and private.pem in the certs folder.

    Can I enter the Baltimore CA key in the ca-cert.pem file here?

    I need a detailed guide on how to add the Baltimore Key to the certificate section in the Azure IoT Hub portal and upload the client key.pem before verifying it.

    According to the Nordic guide, refer to Microsoft's CA creation guide.

    However, there is no guide related to Baltimore CA in that guide, so I am confused as to whether I need to create a rootca or just a subca.

  • 0

    I will add an additional reply. The link to the guide you mentioned is below. ThumbsupWhite check mark

    Nordic AzureIotHub Guide 1

    Nordic AzureIotHub Guide 2


    The guide focuses on guides related to nrf91.
    I'm curious because nrf7002 seems to be different.

  • 0 in reply to E_Kan
    E_Kan said:
    Can I enter the Baltimore CA key in the ca-cert.pem file here?

    Yes.

    E_Kan said:
    I need a detailed guide on how to add the Baltimore Key to the certificate section in the Azure IoT Hub portal and upload the client key.pem before verifying it.

    If I am not mistaken, you would not need to upload the Balitmore Key to the Azure IoT Hub. The Baltimore CA key is to verify the TLS for Azures MQTT, so that the device knows it is talking to a valid server.

    I recommend the Understand how X.509 CA certificates are used in IoT guide.

  • 0 in reply to E_Kan

    @

    Thanks for your reply.

    I solved the problem, but I couldn't solve it with the Baltimore CA certificate you provided.

    [00:00:07.931,915] <inf> mqtt_helper: innopia : certificates_provision() IN
[00:00:07.931,915] <inf> mqtt_helper: innopia : ca : 1262 private : 1705 / device : 1221 
[00:00:07.931,945] <inf> mqtt_helper: innopia : ca_cert.pem file check ...
[00:00:07.931,945] <inf> mqtt_helper: innopia : ca_certificate.pem PASS || return = 0
[00:00:07.931,976] <inf> mqtt_helper: innopia : private_key.pem file check ...
[00:00:07.931,976] <inf> mqtt_helper: innopia : private_key.pem PASS || return = 0
[00:00:07.932,006] <inf> mqtt_helper: innopia : device_certificate.pem file check ...
[00:00:07.932,006] <inf> mqtt_helper: innopia : device_certificate.pem PASS || return = 0
[00:00:07.932,006] <inf> mqtt_helper: innopia : tls_credential_add 1 successfully added.
[00:00:07.932,037] <inf> mqtt_helper: innopia : certificates_provision() OUT
[00:00:07.932,037] <inf> mqtt_helper: innopia : =============================



[00:00:07.991,760] <err> mqtt_helper: mqtt_connect, error: -2
[00:00:07.991,760] <inf> mqtt_helper: innopia : mqtt_connect, error: -2
[00:00:07.991,790] <err> azure_iot_hub: mqtt_helper_connect failed, error: -2
[00:00:07.991,790] <inf> azure_iot_hub: mqtt_helper_connect() error
[00:00:07.991,821] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_CONNECTING --> STATE_DISCONNECTED
[00:00:07.991,851] <err> azure_iot_hub_sample: azure_iot_hub_connect failed: -2
[00:00:07.991,851] <inf> azure_iot_hub_sample: azure_iot_hub_connect failed: -2

    If you enter the Baltimore CyberTrust Root Certificate in ca-cert.pem and build it, the above error (-2) occurs.

    ...

CONFIG_MQTT_HELPER_SEC_TAG=10
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=11

...


    However, we confirmed that it worked normally if we added DigiCert Global Root G2 to ca-cert-2.pem and proceeded.

    According to what you said, the Baltimore certificate is not still expired, so I'm curious why this is happening.

    If you try to build and flash without MQTT_HELPER_SECONDARY_SEC_TAG=11 in the config value, 
    an error (-113 Software caused connection abort) occurs.

    I think it is mandatory to include the G2 certificate, is that correct? Please confirm.

    I am curious as to why this is happening. I think it would be better to guide with G2 CA.
    Thank you for your quick reply, and we look forward to your continued interest and replies! GrinningThumbsup

Related
Terms of service