• State Not Answered
  • Replies 24 replies
  • Subscribers 72 subscribers
  • Views 2646 views
  • Users 0 members are here
Attachments (3) Download All
Nordic Case Info
  • Case ID: 319294
Options

API registration of certification for Azure IoT Hub / DPS

Thomas

I am trying to connect a custom device to the Azure IoT Hub using DPS service. Because I am using a custom board I am trying to write certificates to the modem using api calls to the modem_key_mgmg functions. Theses functions have a tag and a credential type.

But trying to get around the different certificates in use.and what tags and credential types i should use when writing the certificates.

I have registered Baltimore and DigiCert root CA certificates using the tag CONFIG_MQTT_HELPER_SEC_TAG and CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG and both of them with credential type set to MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT.

For the device certificate I am not really sure what the tag should be, so just set it to 12 for both types.

Then the private certificate is registered with type MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT.

But what about the public part? Should it be MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT?

Is the above at all correct? I am wondering about the tag field since I find no description except a reserrved tag for nRFCloud. Is it used somewhere in the Nordic libraries for Azure and has to have a specific value?

I am getting mqtt_helper, mqtt_connect, error: -111 when trying to connect.

Parents
  • 0

    Hi Thomas,

    Thanks for checking with us. The error is also reported in the following case. Have you read through it before to find some hint?

    (+) Sample Azure IoT Hub (Thingy9.1) - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com)

    Best regards,

    Charlie

  • 0 in reply to Charlie

    Hi Charlie

    I have not tested different things to see if I can find a solution....

    I have gone through the the Microsoft tutorial on creating and uploading certificates from the beginning again. This was to test that I did not have a problem with the certificates. I have created new internal root CA, subordinate and device certificates.

    From this I have

    • Internal root CA
    • Subordinate certificate used for creating device certificates
    • Device certificate(s)
    • Device private key(s)

    I also have two other public certificates old and new IoT hub

    • Baltimore
    • DigiCert

    There are a number of different ways I can register these certificates in the device.... Is it possible that someone can describe this process from within the application.

    I think the only certificates needed in the device is

    • Device certificate(s)
    • Device private key(s)
    • Baltimore
    • DigiCert

    So I'm doing:

    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, digicert, sizeof(digicert));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, baltimore, sizeof(baltimore));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT, devicecertpriv, sizeof(devicecertpriv))
  • 0 in reply to Charlie

    I got it connected using Cellular Monitor and fixed on mistake by me. My thumprint was from the subordinate certificate. When creating a device directly like this, it is the thumprint of the device certificate.

    These are the 3 certificates used when writing from Cellular Monitor.

    MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN
    MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT
    MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT
    Moving to test on my own hub if this succeeds I will test with DPS.
    I have verified that I can connect to my own hub if I replace the Digicert root CA with the Baltimore one.
     
  • 0 in reply to Charlie

    Another huge problem. I need two root CA in the device.

    I need both Baltimore and Digicert to exist in my device......

    My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.

    The current 3 certificates are downloaded with key 10.

    Should I just add 3 certificates with key 11 also replacing the CA for Baltimore with Digicert

  • 0 in reply to Thomas
    Thomas said:
    I wanted to validate what types are used in the 3 windows of Cellular Monitor...
    Certificate Manager windows correspond to the following tree types. NCS\v2.5.0\nrf\samples\cellular\http_update samples demonstrate how to properly write certificates in fw.
    MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN
    MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT
    MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT
    This is not suggested since it will occupy many memory sizes and is also not secure.
    Thomas said:
    My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.

    Couldn't the two sets of keys stored in different secure tags solve your problem?

    My first test showed when Baltimore in CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.

    Best regards,

    Charlie

  • 0 in reply to Charlie

    How do I control which security tag is used. I have not found a way to do this?

  • 0 in reply to Charlie

    It seems that as soon as I register two root CA.

    DigiCert in tag CONFIG_MQTT_HELPER_SEC_TAG

    Baltimore in tag CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG 

    I cannot connect to any IoT hub anymore.....

    I am testing agains two different IoT hubs, one running with DigiCert and one running with Baltimore. Function was as expected as long as I only registered one CA on the CONFIG_MQTT_HELPER_SEC_TAG.

    I am validating this...

    • Reply
    • 0 in reply to Charlie

      It seems that as soon as I register two root CA.

      DigiCert in tag CONFIG_MQTT_HELPER_SEC_TAG

      Baltimore in tag CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG 

      I cannot connect to any IoT hub anymore.....

      I am testing agains two different IoT hubs, one running with DigiCert and one running with Baltimore. Function was as expected as long as I only registered one CA on the CONFIG_MQTT_HELPER_SEC_TAG.

      I am validating this...

    Children
    • 0 in reply to Thomas

      Right. It seems that saving the certificates using modem_key_mgmt_exists causes the problem.

      I am back on my test hub using only DigiCert certificate. Programming only 3 certificates, the CA, public and private.

      If the 3 certificates are programmed using Cellular Monitor it works.

      If the same 3 certificates are programmed using the API, it does not work...

      Could it be the format (newlines...):

      const char * const devicecert =
      "-----BEGIN CLIENT CERTIFICATE-----\n"
      "MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n"
      "MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n"
      "MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n"
      "b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n"
      "MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n"
      "hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n"
      "yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n"
      "BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n"
      "dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n"
      "SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n"
      "ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n"
      "HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n"
      "BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n"
      "dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n"
      "JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n"
      "NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n"
      "H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n"
      "VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n"
      "mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n"
      "FBlZXfHT\n"
      "-----END CLIENT CERTIFICATE-----\n";
    • 0 in reply to Thomas

      When programming through the API i get the following output from AT%CMNG=1

      %CMNG: 10,0,"5D550643B6400D4341550A9B14AEDD0B4FAC33AE5DEB7D8247B6B4F799C13306"
      %CMNG: 10,1,"D4862B18AC6273370888FB97E9226BBC0C52DA7E31E36204C9AD628154150A61"
      %CMNG: 10,2,"D35A573739C923DA63AB595741891BD7D511A0EE4D94070DC2E3A9600E61DCD8"

      When using Cellular monitor to program the same certificates I get this:

      %CMNG: 10,0,"0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C"
      %CMNG: 10,1,"5E66996270A307E66456B3308AC57846491512A7C6BE9ABA56A0BE2067BB386B"
      %CMNG: 10,2,"D93C4F4E4092F5F2BB85240D2E015C5138A142047CE798FBEFC45D5EC2C4272A"

      Seems the programming is going wrong i some way....

      Cannot see that I'm using the API in a wrong way. This is how I program the device certificate:

      static const char devicecert[] =
      "-----BEGIN CLIENT CERTIFICATE-----\n"
      "MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n"
      "MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n"
      "MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n"
      "b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n"
      "MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n"
      "hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n"
      "yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n"
      "BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n"
      "dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n"
      "SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n"
      "ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n"
      "HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n"
      "BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n"
      "dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n"
      "JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n"
      "NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n"
      "H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n"
      "VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n"
      "mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n"
      "FBlZXfHT\n"
      "-----END CLIENT CERTIFICATE-----\n";
      modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert)-1))
      I know the modem cannot be online so I am programming in the following hook:
      static void on_modem_lib_init(int ret, void *ctx)
      {
          LOG_INF("Modem initialized");
          UpdateCertificates();
      }

      NRF_MODEM_LIB_ON_INIT(lwm2m_init_hook, on_modem_lib_init, NULL);
      What can be wrong?
    • 0 in reply to Thomas

      I tested with the official sample NCS\v2.5.0\nrf\samples\cellular\http_update sample to write 7633.DigiCertGlobalRootG2.zip from DigiCertGlobalRootG2.crt.pem to secure tag 42. You can see they have the same hash compared with the one I wrote with Certificate Manager on secure tag 11 on the previous test. Can you refer to 

      cert_provision(void) function to see the difference with your certificate writing function.

      > AT+CFUN=4

      OK
      > AT%CMNG=

      ...
      %CMNG: 11,0,"0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C"
      ...
      %CMNG: 42,0,"0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C"
      ...

      Best regards,

      Charlie

    • 0 in reply to Charlie

      OK, I will try to replicate this using the http_sample. Yesterday I looked at the http_update sample and tried to move my certificate update code into main and just call the nrf_modem_lib_init() before like in the sample. This did not solve the problem.

      It must be some project configuration is my best quess.

      Would it be possible that you  test the same with the azure iot_hub sample. It should now be possible to test for the problem just by reading out the keys witht the AT%CMNG= command. 

    Related
    Terms of service