• State Not Answered
  • Replies 24 replies
  • Subscribers 72 subscribers
  • Views 2652 views
  • Users 0 members are here
Attachments (3) Download All
Nordic Case Info
  • Case ID: 319294
Options

API registration of certification for Azure IoT Hub / DPS

Thomas

I am trying to connect a custom device to the Azure IoT Hub using DPS service. Because I am using a custom board I am trying to write certificates to the modem using api calls to the modem_key_mgmg functions. Theses functions have a tag and a credential type.

But trying to get around the different certificates in use.and what tags and credential types i should use when writing the certificates.

I have registered Baltimore and DigiCert root CA certificates using the tag CONFIG_MQTT_HELPER_SEC_TAG and CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG and both of them with credential type set to MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT.

For the device certificate I am not really sure what the tag should be, so just set it to 12 for both types.

Then the private certificate is registered with type MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT.

But what about the public part? Should it be MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT?

Is the above at all correct? I am wondering about the tag field since I find no description except a reserrved tag for nRFCloud. Is it used somewhere in the Nordic libraries for Azure and has to have a specific value?

I am getting mqtt_helper, mqtt_connect, error: -111 when trying to connect.

Parents
  • 0

    Hi Thomas,

    Thanks for checking with us. The error is also reported in the following case. Have you read through it before to find some hint?

    (+) Sample Azure IoT Hub (Thingy9.1) - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com)

    Best regards,

    Charlie

  • 0 in reply to Charlie

    Hi Charlie

    I have not tested different things to see if I can find a solution....

    I have gone through the the Microsoft tutorial on creating and uploading certificates from the beginning again. This was to test that I did not have a problem with the certificates. I have created new internal root CA, subordinate and device certificates.

    From this I have

    • Internal root CA
    • Subordinate certificate used for creating device certificates
    • Device certificate(s)
    • Device private key(s)

    I also have two other public certificates old and new IoT hub

    • Baltimore
    • DigiCert

    There are a number of different ways I can register these certificates in the device.... Is it possible that someone can describe this process from within the application.

    I think the only certificates needed in the device is

    • Device certificate(s)
    • Device private key(s)
    • Baltimore
    • DigiCert

    So I'm doing:

    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, digicert, sizeof(digicert));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, baltimore, sizeof(baltimore));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert));
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT, devicecertpriv, sizeof(devicecertpriv))
  • 0 in reply to Charlie
    Charlie said:
    My first test showed when Baltimore in CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.

    I cannot validate this. It seems this is not correct.

    Hang on.... maybe wrong conclusion....

    I moved from programming certificates using Cellular Monitor to programming certificates using modem_key_mgmt_write. This might be the problem....

  • 0 in reply to Thomas

    Right. It seems that saving the certificates using modem_key_mgmt_exists causes the problem.

    I am back on my test hub using only DigiCert certificate. Programming only 3 certificates, the CA, public and private.

    If the 3 certificates are programmed using Cellular Monitor it works.

    If the same 3 certificates are programmed using the API, it does not work...

    Could it be the format (newlines...):

    const char * const devicecert =
    "-----BEGIN CLIENT CERTIFICATE-----\n"
    "MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n"
    "MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n"
    "MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n"
    "b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n"
    "MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n"
    "hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n"
    "yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n"
    "BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n"
    "dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n"
    "SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n"
    "ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n"
    "HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n"
    "BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n"
    "dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n"
    "JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n"
    "NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n"
    "H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n"
    "VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n"
    "mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n"
    "FBlZXfHT\n"
    "-----END CLIENT CERTIFICATE-----\n";
  • 0 in reply to Thomas

    When programming through the API i get the following output from AT%CMNG=1

    %CMNG: 10,0,"5D550643B6400D4341550A9B14AEDD0B4FAC33AE5DEB7D8247B6B4F799C13306"
    %CMNG: 10,1,"D4862B18AC6273370888FB97E9226BBC0C52DA7E31E36204C9AD628154150A61"
    %CMNG: 10,2,"D35A573739C923DA63AB595741891BD7D511A0EE4D94070DC2E3A9600E61DCD8"

    When using Cellular monitor to program the same certificates I get this:

    %CMNG: 10,0,"0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C"
    %CMNG: 10,1,"5E66996270A307E66456B3308AC57846491512A7C6BE9ABA56A0BE2067BB386B"
    %CMNG: 10,2,"D93C4F4E4092F5F2BB85240D2E015C5138A142047CE798FBEFC45D5EC2C4272A"

    Seems the programming is going wrong i some way....

    Cannot see that I'm using the API in a wrong way. This is how I program the device certificate:

    static const char devicecert[] =
    "-----BEGIN CLIENT CERTIFICATE-----\n"
    "MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n"
    "MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n"
    "MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n"
    "b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n"
    "MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n"
    "hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n"
    "yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n"
    "BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n"
    "dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n"
    "SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n"
    "ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n"
    "HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n"
    "BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n"
    "dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n"
    "JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n"
    "NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n"
    "H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n"
    "VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n"
    "mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n"
    "FBlZXfHT\n"
    "-----END CLIENT CERTIFICATE-----\n";
    modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert)-1))
    I know the modem cannot be online so I am programming in the following hook:
    static void on_modem_lib_init(int ret, void *ctx)
    {
        LOG_INF("Modem initialized");
        UpdateCertificates();
    }

    NRF_MODEM_LIB_ON_INIT(lwm2m_init_hook, on_modem_lib_init, NULL);
    What can be wrong?
  • 0 in reply to Thomas

    I tested with the official sample NCS\v2.5.0\nrf\samples\cellular\http_update sample to write 7633.DigiCertGlobalRootG2.zip from DigiCertGlobalRootG2.crt.pem to secure tag 42. You can see they have the same hash compared with the one I wrote with Certificate Manager on secure tag 11 on the previous test. Can you refer to 

    cert_provision(void) function to see the difference with your certificate writing function.

    > AT+CFUN=4

    OK
    > AT%CMNG=

    ...
    %CMNG: 11,0,"0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C"
    ...
    %CMNG: 42,0,"0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C"
    ...

    Best regards,

    Charlie

  • 0 in reply to Charlie

    OK, I will try to replicate this using the http_sample. Yesterday I looked at the http_update sample and tried to move my certificate update code into main and just call the nrf_modem_lib_init() before like in the sample. This did not solve the problem.

    It must be some project configuration is my best quess.

    Would it be possible that you  test the same with the azure iot_hub sample. It should now be possible to test for the problem just by reading out the keys witht the AT%CMNG= command. 

Reply
  • 0 in reply to Charlie

    OK, I will try to replicate this using the http_sample. Yesterday I looked at the http_update sample and tried to move my certificate update code into main and just call the nrf_modem_lib_init() before like in the sample. This did not solve the problem.

    It must be some project configuration is my best quess.

    Would it be possible that you  test the same with the azure iot_hub sample. It should now be possible to test for the problem just by reading out the keys witht the AT%CMNG= command. 

Children
No Data
Related
Terms of service