• State Not Answered
  • Replies 24 replies
  • Subscribers 72 subscribers
  • Views 2645 views
  • Users 0 members are here
Attachments (3) Download All
Nordic Case Info
  • Case ID: 319294
Options

API registration of certification for Azure IoT Hub / DPS

Thomas

I am trying to connect a custom device to the Azure IoT Hub using DPS service. Because I am using a custom board I am trying to write certificates to the modem using api calls to the modem_key_mgmg functions. Theses functions have a tag and a credential type.

But trying to get around the different certificates in use.and what tags and credential types i should use when writing the certificates.

I have registered Baltimore and DigiCert root CA certificates using the tag CONFIG_MQTT_HELPER_SEC_TAG and CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG and both of them with credential type set to MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT.

For the device certificate I am not really sure what the tag should be, so just set it to 12 for both types.

Then the private certificate is registered with type MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT.

But what about the public part? Should it be MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT?

Is the above at all correct? I am wondering about the tag field since I find no description except a reserrved tag for nRFCloud. Is it used somewhere in the Nordic libraries for Azure and has to have a specific value?

I am getting mqtt_helper, mqtt_connect, error: -111 when trying to connect.

Parents
  • 0

    Hi Thomas,

    Thanks for checking with us. The error is also reported in the following case. Have you read through it before to find some hint?

    (+) Sample Azure IoT Hub (Thingy9.1) - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com)

    Best regards,

    Charlie

  • 0 in reply to Charlie

    Hi Charlie

    I have not tested different things to see if I can find a solution....

    I have gone through the the Microsoft tutorial on creating and uploading certificates from the beginning again. This was to test that I did not have a problem with the certificates. I have created new internal root CA, subordinate and device certificates.

    From this I have

    • Internal root CA
    • Subordinate certificate used for creating device certificates
    • Device certificate(s)
    • Device private key(s)

    I also have two other public certificates old and new IoT hub

    • Baltimore
    • DigiCert

    There are a number of different ways I can register these certificates in the device.... Is it possible that someone can describe this process from within the application.

    I think the only certificates needed in the device is

    • Device certificate(s)
    • Device private key(s)
    • Baltimore
    • DigiCert

    So I'm doing:

    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, digicert, sizeof(digicert));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, baltimore, sizeof(baltimore));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT, devicecertpriv, sizeof(devicecertpriv))
  • 0 in reply to Charlie

    If just using IoT hub, how do you add the device, especially authentification!

  • 0 in reply to Thomas
    Thomas said:
    When uploading a certificate to Azure IoT hub certificates list, are you using the PEM file with only the generated subordinate certificate or a manually combined file with the certificate section for both subordinate and slef-signed root CA?

    I uploaded the PEM file with only the generated subordinate certificate.

    Thomas said:
    When adding your testdevice do you set authentificate to "X.509 Self-Signed" or "X.509 CA Signed"?

    It uses X.509 Self-Signed. I input the secondary thump print same as the first.

    Best regards,

    Charlie

  • 0 in reply to Charlie

    I got it connected using Cellular Monitor and fixed on mistake by me. My thumprint was from the subordinate certificate. When creating a device directly like this, it is the thumprint of the device certificate.

    These are the 3 certificates used when writing from Cellular Monitor.

    MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN
    MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT
    MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT
    Moving to test on my own hub if this succeeds I will test with DPS.
    I have verified that I can connect to my own hub if I replace the Digicert root CA with the Baltimore one.
     
  • 0 in reply to Charlie

    Another huge problem. I need two root CA in the device.

    I need both Baltimore and Digicert to exist in my device......

    My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.

    The current 3 certificates are downloaded with key 10.

    Should I just add 3 certificates with key 11 also replacing the CA for Baltimore with Digicert

  • 0 in reply to Thomas
    Thomas said:
    I wanted to validate what types are used in the 3 windows of Cellular Monitor...
    Certificate Manager windows correspond to the following tree types. NCS\v2.5.0\nrf\samples\cellular\http_update samples demonstrate how to properly write certificates in fw.
    MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN
    MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT
    MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT
    This is not suggested since it will occupy many memory sizes and is also not secure.
    Thomas said:
    My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.

    Couldn't the two sets of keys stored in different secure tags solve your problem?

    My first test showed when Baltimore in CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.

    Best regards,

    Charlie

Reply
  • 0 in reply to Thomas
    Thomas said:
    I wanted to validate what types are used in the 3 windows of Cellular Monitor...
    Certificate Manager windows correspond to the following tree types. NCS\v2.5.0\nrf\samples\cellular\http_update samples demonstrate how to properly write certificates in fw.
    MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN
    MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT
    MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT
    This is not suggested since it will occupy many memory sizes and is also not secure.
    Thomas said:
    My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.

    Couldn't the two sets of keys stored in different secure tags solve your problem?

    My first test showed when Baltimore in CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.

    Best regards,

    Charlie

Children
  • 0 in reply to Charlie

    How do I control which security tag is used. I have not found a way to do this?

  • 0 in reply to Charlie

    It seems that as soon as I register two root CA.

    DigiCert in tag CONFIG_MQTT_HELPER_SEC_TAG

    Baltimore in tag CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG 

    I cannot connect to any IoT hub anymore.....

    I am testing agains two different IoT hubs, one running with DigiCert and one running with Baltimore. Function was as expected as long as I only registered one CA on the CONFIG_MQTT_HELPER_SEC_TAG.

    I am validating this...

  • 0 in reply to Charlie
    Charlie said:
    My first test showed when Baltimore in CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.

    I cannot validate this. It seems this is not correct.

    Hang on.... maybe wrong conclusion....

    I moved from programming certificates using Cellular Monitor to programming certificates using modem_key_mgmt_write. This might be the problem....

  • 0 in reply to Thomas

    Right. It seems that saving the certificates using modem_key_mgmt_exists causes the problem.

    I am back on my test hub using only DigiCert certificate. Programming only 3 certificates, the CA, public and private.

    If the 3 certificates are programmed using Cellular Monitor it works.

    If the same 3 certificates are programmed using the API, it does not work...

    Could it be the format (newlines...):

    const char * const devicecert =
    "-----BEGIN CLIENT CERTIFICATE-----\n"
    "MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n"
    "MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n"
    "MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n"
    "b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n"
    "MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n"
    "hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n"
    "yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n"
    "BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n"
    "dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n"
    "SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n"
    "ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n"
    "HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n"
    "BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n"
    "dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n"
    "JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n"
    "NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n"
    "H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n"
    "VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n"
    "mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n"
    "FBlZXfHT\n"
    "-----END CLIENT CERTIFICATE-----\n";
  • 0 in reply to Thomas

    When programming through the API i get the following output from AT%CMNG=1

    %CMNG: 10,0,"5D550643B6400D4341550A9B14AEDD0B4FAC33AE5DEB7D8247B6B4F799C13306"
    %CMNG: 10,1,"D4862B18AC6273370888FB97E9226BBC0C52DA7E31E36204C9AD628154150A61"
    %CMNG: 10,2,"D35A573739C923DA63AB595741891BD7D511A0EE4D94070DC2E3A9600E61DCD8"

    When using Cellular monitor to program the same certificates I get this:

    %CMNG: 10,0,"0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C"
    %CMNG: 10,1,"5E66996270A307E66456B3308AC57846491512A7C6BE9ABA56A0BE2067BB386B"
    %CMNG: 10,2,"D93C4F4E4092F5F2BB85240D2E015C5138A142047CE798FBEFC45D5EC2C4272A"

    Seems the programming is going wrong i some way....

    Cannot see that I'm using the API in a wrong way. This is how I program the device certificate:

    static const char devicecert[] =
    "-----BEGIN CLIENT CERTIFICATE-----\n"
    "MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n"
    "MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n"
    "MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n"
    "b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n"
    "MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n"
    "hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n"
    "yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n"
    "BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n"
    "dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n"
    "SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n"
    "ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n"
    "HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n"
    "BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n"
    "dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n"
    "JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n"
    "NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n"
    "H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n"
    "VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n"
    "mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n"
    "FBlZXfHT\n"
    "-----END CLIENT CERTIFICATE-----\n";
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert)-1))
    I know the modem cannot be online so I am programming in the following hook:
    static void on_modem_lib_init(int ret, void *ctx)
    {
        LOG_INF("Modem initialized");
        UpdateCertificates();
    }

    NRF_MODEM_LIB_ON_INIT(lwm2m_init_hook, on_modem_lib_init, NULL);
    What can be wrong?
Related
Terms of service