https://devzone.nordicsemi.com/f/nordic-q-a/106640/api-registration-of-certification-for-azure-iot-hub-dpsI am trying to connect a custom device to the Azure IoT Hub using DPS service. Because I am using a custom board I am trying to write certificates to the modem using api calls to the modem_key_mgmg functions. Theses functions have a tag and a credentialen-USTelligent Community 13Thu, 21 Dec 2023 12:18:31 GMThttps://devzone.nordicsemi.com/thread/461433?ContentTypeID=1Thu, 21 Dec 2023 12:18:31 GMT137ad170-7792-4731-bb38-c0d22fbe4515:10f15b8a-eab0-458d-b89b-aa53b82ab241Thomas<p><span style="font-size:inherit;">OK, I will try to replicate this using the http_sample. Yesterday I looked at the http_update sample and tried to move my certificate update code into main and just call the nrf_modem_lib_init()&nbsp;before like in the sample. This did not solve the problem.</span></p> <p><span style="font-size:inherit;">It must be some project configuration is my best quess.</span></p> <p><span style="font-size:inherit;">Would it be possible that you&nbsp; test the same with the azure iot_hub sample. It should now be possible to test for the problem just by reading out the keys witht the AT%CMNG= command.&nbsp;</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461398?ContentTypeID=1Thu, 21 Dec 2023 09:51:36 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1fefc431-41e2-49c4-bb3f-bd43a48e5252Charlie<p>I tested with the official sample&nbsp;<span>NCS\v2.5.0\nrf\samples\cellular\http_update sample to write&nbsp;<a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/7633.DigiCertGlobalRootG2.zip">devzone.nordicsemi.com/.../7633.DigiCertGlobalRootG2.zip</a>&nbsp;from DigiCertGlobalRootG2.crt.pem to secure tag 42. You can see they have the same hash compared with the one I wrote with Certificate Manager on secure tag 11 on the previous test. Can you refer to&nbsp;</span></p> <div> <div><span>cert_provision</span><span>(</span><span>void</span><span>) function to see the difference with your certificate writing function.</span></div> </div> <p>&gt; AT+CFUN=4</p> <p>OK<br />&gt; AT%CMNG=</p> <p>...<br /><strong>%CMNG: 11,0,&quot;0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C&quot;</strong><br />...<br /><strong>%CMNG: 42,0,&quot;0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C&quot;</strong><br />...</p> <p>Best regards,</p> <p>Charlie</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461304?ContentTypeID=1Wed, 20 Dec 2023 14:36:32 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b19c83da-058c-4d2f-87d1-bddd3f830856Thomas<p>When programming through the API i get the following output from AT%CMNG=1</p> <p><span style="font-size:75%;">%CMNG: 10,0,&quot;5D550643B6400D4341550A9B14AEDD0B4FAC33AE5DEB7D8247B6B4F799C13306&quot;</span><br /><span style="font-size:75%;">%CMNG: 10,1,&quot;D4862B18AC6273370888FB97E9226BBC0C52DA7E31E36204C9AD628154150A61&quot;</span><br /><span style="font-size:75%;">%CMNG: 10,2,&quot;D35A573739C923DA63AB595741891BD7D511A0EE4D94070DC2E3A9600E61DCD8&quot;</span></p> <p>When using Cellular monitor to program the same certificates I get this:</p> <p><span style="font-size:75%;">%CMNG: 10,0,&quot;0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C&quot;</span><br /><span style="font-size:75%;">%CMNG: 10,1,&quot;5E66996270A307E66456B3308AC57846491512A7C6BE9ABA56A0BE2067BB386B&quot;</span><br /><span style="font-size:75%;">%CMNG: 10,2,&quot;D93C4F4E4092F5F2BB85240D2E015C5138A142047CE798FBEFC45D5EC2C4272A&quot;</span></p> <p><span style="font-size:inherit;">Seems the programming is going wrong i some way....</span></p> <p><span style="font-size:inherit;">Cannot see that I&#39;m using the API in a wrong way. This is how I program the device certificate:</span></p> <div> <div><span style="font-size:75%;">static const char devicecert[] = </span></div> <div><span style="font-size:75%;">&quot;-----BEGIN CLIENT CERTIFICATE-----\n&quot;</span></div> <div><span style="font-size:75%;">&quot;MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n&quot;</span></div> <div><span style="font-size:75%;">&quot;MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n&quot;</span></div> <div><span style="font-size:75%;">&quot;MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n&quot;</span></div> <div><span style="font-size:75%;">&quot;b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n&quot;</span></div> <div><span style="font-size:75%;">&quot;MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n&quot;</span></div> <div><span style="font-size:75%;">&quot;hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n&quot;</span></div> <div><span style="font-size:75%;">&quot;yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n&quot;</span></div> <div><span style="font-size:75%;">&quot;BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n&quot;</span></div> <div><span style="font-size:75%;">&quot;dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n&quot;</span></div> <div><span style="font-size:75%;">&quot;SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n&quot;</span></div> <div><span style="font-size:75%;">&quot;ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n&quot;</span></div> <div><span style="font-size:75%;">&quot;HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n&quot;</span></div> <div><span style="font-size:75%;">&quot;BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n&quot;</span></div> <div><span style="font-size:75%;">&quot;dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n&quot;</span></div> <div><span style="font-size:75%;">&quot;JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n&quot;</span></div> <div><span style="font-size:75%;">&quot;NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n&quot;</span></div> <div><span style="font-size:75%;">&quot;H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n&quot;</span></div> <div><span style="font-size:75%;">&quot;VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n&quot;</span></div> <div><span style="font-size:75%;">&quot;mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n&quot;</span></div> <div><span style="font-size:75%;">&quot;FBlZXfHT\n&quot;</span></div> <div><span style="font-size:75%;">&quot;-----END CLIENT CERTIFICATE-----\n&quot;;</span></div> <div><span></span></div> </div> <div> <div><span style="font-size:75%;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert)-1))</span></div> <div><span style="font-size:75%;"></span></div> <div><span style="font-size:inherit;">I know the modem cannot be online so I am programming in the following hook:</span></div> <div><span style="font-size:inherit;"></span></div> <div> <div> <div><span style="font-size:75%;">static void on_modem_lib_init(int ret, void *ctx)</span></div> <div><span style="font-size:75%;">{</span></div> <div><span style="font-size:75%;">&nbsp; &nbsp; LOG_INF(&quot;Modem initialized&quot;);</span></div> <div><span style="font-size:75%;">&nbsp; &nbsp; UpdateCertificates();</span></div> <div><span style="font-size:75%;">}</span></div> <br /> <div><span style="font-size:75%;">NRF_MODEM_LIB_ON_INIT(lwm2m_init_hook, on_modem_lib_init, NULL);</span></div> <div><span style="font-size:75%;"></span></div> <div><span style="font-size:inherit;">What can be wrong?</span></div> </div> </div> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461301?ContentTypeID=1Wed, 20 Dec 2023 14:21:05 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1877532c-c10a-4c79-b99c-80ac55ca6240Thomas<p>Right. It seems that saving the certificates using&nbsp;<strong>modem_key_mgmt_exists</strong> causes the problem.</p> <p>I am back on my test hub using only DigiCert certificate. Programming only 3 certificates, the CA, public and private.</p> <p>If the 3 certificates are programmed using Cellular Monitor it works.</p> <p>If the same 3 certificates are programmed using the API, it does not work...</p> <p>Could it be the format (newlines...):</p> <div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">const char * const devicecert = </span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;-----BEGIN CLIENT CERTIFICATE-----\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MIIDkjCCAnqgAwIBAgIQUV/Nblig8uTS5jYZbZQqxDANBgkqhkiG9w0BAQsFADAl\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MSMwIQYDVQQDDBpQcm9sb24gSW9UIEh1YiBTdWJvcmRpbmF0ZTAeFw0yMzEyMTgx\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MzI5MzhaFw0yNDEyMTcxMzI5MzhaMG4xCzAJBgNVBAYTAkRLMRMwEQYDVQQIDApD\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;b3BlbmhhZ2VuMSMwIQYDVQQKDBpQcm9sb24gQ29udHJvbCBTeXN0ZW1zIEFwUzEP\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MA0GA1UECwwGYm1zbmV0MRQwEgYDVQQDDAt0ZXN0ZGV2aWNlMjCCASIwDQYJKoZI\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;hvcNAQEBBQADggEPADCCAQoCggEBAKwuYEyMQkCC7e5RLuhyXUp2imLojrALGdM2\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;yx68nkDl3adAi9cueoxnKWSlyvPKjUuHIjVBK+TE7/lqY0C/n2Ek2qqcPef2eq91\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;BQTtGKb9FNsTRnO/uyIki2jVVDMK95ckJFJyceDkDbhNnGktchvBBrjygKSRdb0P\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;dlxvAsjPPXvodSo+indzB9yn6PXPlN7amjtnt1pD+DKyQbfQCrxTEUW5G7eVuOYL\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;SVGBORbmo1dztb4sVgWED2FBAFdgxcQKy9oKewn+jLJfjGnRVpgGftFCp1cjDDeE\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;ozxCJxN63JGdmKLDLT2BPZfulwNnRXEqZxhn5m5cDgg4BSTOnsUCAwEAAaN1MHMw\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;HwYDVR0jBBgwFoAUyZSi36zVoNyHwg0fL45JyfK3wdkwDAYDVR0TAQH/BAIwADAT\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;BgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFCMd\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;dDd/pqu+Y8B/ungcWTssi3JbMA0GCSqGSIb3DQEBCwUAA4IBAQDAcfeWeOIwO+et\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;JSiindHTMfSWAijZ3Ncc5FCR5npl3p41ctL7vsiyAqxdEN6pEsR9YAyfyPykBZjg\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;NITjwAuUhUv211R9WulzjVJPEJDOFbK1T6Z2Cr51hv/xJ2qZYETfBlWliCaHhXfJ\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;H2Novo+LkWpNEz7yDk1/yPF5PuhFJhQlYyyFf4oys610HL5ZM8YpmGGE+fpFOjIH\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;VtGq8yBTQwogqR9Ww7FwaGrVF1LQSb4ejyNhCaoQs5fmB/myBcPudwsuNdqqPZ5S\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;mJx+qeIS3+eQaEtoelnWZKxXkgDhPbsRYzoKB4x8WZH3bx7gK4LB6kJyQe9v+IFV\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;FBlZXfHT\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;-----END CLIENT CERTIFICATE-----\n&quot;;</span></div> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461295?ContentTypeID=1Wed, 20 Dec 2023 13:57:17 GMT137ad170-7792-4731-bb38-c0d22fbe4515:e4ec3f3e-ffc9-4c3e-8f1b-aac8f552b99cThomas[quote userid="93921" url="~/f/nordic-q-a/106640/api-registration-of-certification-for-azure-iot-hub-dps/461286"]My first test showed when&nbsp;Baltimore in&nbsp;CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to&nbsp;Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.[/quote] <p>I cannot validate this. It seems this is not correct.</p> <p>Hang on.... maybe wrong conclusion....</p> <p>I moved from programming certificates using&nbsp;Cellular Monitor to programming certificates using&nbsp;modem_key_mgmt_write. This might be the problem....</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461294?ContentTypeID=1Wed, 20 Dec 2023 13:45:25 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1a512c13-5848-4a5a-bb86-0999766dedc3Thomas<p>It seems that as soon as I register two root CA.</p> <p>DigiCert in tag&nbsp;<span>CONFIG_MQTT_HELPER_SEC_TAG</span></p> <p>Baltimore in tag&nbsp;<span>CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG&nbsp;</span></p> <p>I cannot connect to any IoT hub anymore.....</p> <p>I am testing agains two different IoT hubs, one running with DigiCert and one running with Baltimore. Function was as expected as long as I only registered one CA on the&nbsp;<span>CONFIG_MQTT_HELPER_SEC_TAG.</span></p> <p><span>I am validating this...</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461292?ContentTypeID=1Wed, 20 Dec 2023 13:43:01 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1a8cf0c5-0a65-4911-a464-99f5710df67fThomas<p>How do I control which&nbsp;security tag is used. I have&nbsp;not found a way to do this?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461286?ContentTypeID=1Wed, 20 Dec 2023 13:31:18 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f42cbf46-a0ad-42bd-b0ea-5327fc7d02f1Charlie<div>[quote user="tmaltesen"]I wanted to validate what types are used in the 3 windows of Cellular Monitor...[/quote]</div> <div><span>Certificate Manager windows correspond to the following tree types.&nbsp;NCS\v2.5.0\nrf\samples\cellular\http_update samples demonstrate how to properly write certificates in fw.</span></div> <div><span>MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN</span></div> <div><span>MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT</span></div> <div><span>MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT</span></div> <div><span>This is not suggested since it will occupy many memory sizes and is also not secure.</span></div> <div>[quote user="tmaltesen"]My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.[/quote] <p><span>Couldn&#39;t the two sets of keys stored in different secure tags solve your problem?</span></p> <p><span>My first test showed when&nbsp;Baltimore in&nbsp;CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to&nbsp;Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.</span></p> <p><span>Best regards,</span></p> <p><span>Charlie</span></p> <p><span></span></p> <p><span></span></p> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461282?ContentTypeID=1Wed, 20 Dec 2023 13:07:58 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b281eeee-23a2-4dd4-a1e5-68661fe6f148Thomas<p>Another huge problem. I need two root CA in the device.</p> <p>I need both Baltimore and Digicert to exist in my device......</p> <p>My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.</p> <p>The current 3 certificates are downloaded with key 10.</p> <p>Should I just add 3 certificates with key 11 also replacing the CA for Baltimore with Digicert</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461280?ContentTypeID=1Wed, 20 Dec 2023 13:05:43 GMT137ad170-7792-4731-bb38-c0d22fbe4515:fe7af4c9-98b8-4c9d-ae98-a5120135719eThomas<p>I got it connected using Cellular Monitor and fixed on mistake by me. My thumprint was from the subordinate certificate. When creating a device directly like this, it is the thumprint of the device certificate.</p> <p>These are the 3 certificates used when writing from Cellular Monitor.</p> <p></p> <div> <div><span>MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN</span></div> <div><span></span><span>MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT</span></div> <div> <div><span>MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT</span></div> <div><span></span></div> <div><span>Moving to test on my own hub if this succeeds I will test with DPS.</span></div> </div> <div><span></span></div> <div><span>I have verified that I can connect to my own hub if I replace the Digicert root CA with the Baltimore one.</span></div> <div><span>&nbsp;</span></div> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461257?ContentTypeID=1Wed, 20 Dec 2023 10:38:50 GMT137ad170-7792-4731-bb38-c0d22fbe4515:08194135-0850-4d04-8d74-dfe1c2574ea0Charlie[quote user="tmaltesen"]When uploading a certificate to Azure IoT hub certificates list, are you using the PEM file with only the generated <span>s</span><span>ubordinate&nbsp;</span>certificate or a manually combined file with the certificate section for both <span>s</span><span>ubordinate&nbsp;</span>and slef-signed&nbsp;root CA?[/quote] <p>I uploaded the&nbsp;<span>PEM file with only the generated&nbsp;</span><span>s</span><span>ubordinate&nbsp;</span><span>certificate.</span></p> [quote user="tmaltesen"]When adding your testdevice do you set authentificate to &quot;X.509 Self-Signed&quot; or &quot;X.509 CA Signed&quot;?[/quote] <p>It uses&nbsp;X.509 Self-Signed. I input the secondary&nbsp;thump print same as the first.</p> <p><span>Best regards,</span></p> <p><span><span>Charlie</span></span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461241?ContentTypeID=1Wed, 20 Dec 2023 09:56:02 GMT137ad170-7792-4731-bb38-c0d22fbe4515:19528399-aace-4464-99f5-b55fb362caabThomas<p>If just using IoT hub, how do you add the device, especially authentification!</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461240?ContentTypeID=1Wed, 20 Dec 2023 09:53:12 GMT137ad170-7792-4731-bb38-c0d22fbe4515:904f9109-80f4-415f-8106-a1ef636feee6Charlie<p>Hi Thomas,</p> [quote user="tmaltesen"]Could you share the test certificates and the exact way you register them?[/quote] <p>I&nbsp;can share more details about how I register them.</p> <p>1. Follow&nbsp;<a href="https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-test-certs?tabs=windows">Tutorial - Create and upload certificates for testing - Azure IoT Hub | Microsoft Learn</a>&nbsp;you will get the following keys.</p> <p><pre class="ui-code" data-mode="text">C:\NCS\AzureIoTCerts&gt;dir /s Volume in drive C has no label. Volume Serial Number is 7C9B-FC43 Directory of C:\NCS\AzureIoTCerts 18/12/2023 15:21 &lt;DIR&gt; . 18/12/2023 15:21 &lt;DIR&gt; .. 18/12/2023 15:18 &lt;DIR&gt; rootca 18/12/2023 16:08 &lt;DIR&gt; subca 0 File(s) 0 bytes Directory of C:\NCS\AzureIoTCerts\rootca 18/12/2023 15:18 &lt;DIR&gt; . 18/12/2023 15:18 &lt;DIR&gt; .. 18/12/2023 16:04 &lt;DIR&gt; certs 18/12/2023 16:04 &lt;DIR&gt; db 18/12/2023 15:10 &lt;DIR&gt; private 18/12/2023 15:16 2,099 rootca.conf 18/12/2023 15:18 4,135 rootca.crt 18/12/2023 15:16 1,022 rootca.csr 3 File(s) 7,256 bytes Directory of C:\NCS\AzureIoTCerts\rootca\certs 18/12/2023 16:04 &lt;DIR&gt; . 18/12/2023 16:04 &lt;DIR&gt; .. 18/12/2023 15:18 4,135 88A8F7A2E59F52BF8F8EA450CDBB125E.pem 18/12/2023 16:04 4,484 88A8F7A2E59F52BF8F8EA450CDBB1260.pem 2 File(s) 8,619 bytes Directory of C:\NCS\AzureIoTCerts\rootca\db 18/12/2023 16:04 &lt;DIR&gt; . 18/12/2023 16:04 &lt;DIR&gt; .. 18/12/2023 15:03 5 crlnumber 18/12/2023 16:04 231 index 18/12/2023 16:04 21 index.attr 18/12/2023 15:25 21 index.attr.old 18/12/2023 15:25 157 index.old 18/12/2023 16:04 34 serial 18/12/2023 15:25 34 serial.old 7 File(s) 503 bytes Directory of C:\NCS\AzureIoTCerts\rootca\private 18/12/2023 15:10 &lt;DIR&gt; . 18/12/2023 15:10 &lt;DIR&gt; .. 18/12/2023 15:16 1,884 rootca.key 1 File(s) 1,884 bytes Directory of C:\NCS\AzureIoTCerts\subca 18/12/2023 16:08 &lt;DIR&gt; . 18/12/2023 16:08 &lt;DIR&gt; .. 18/12/2023 16:08 &lt;DIR&gt; certs 18/12/2023 16:08 &lt;DIR&gt; db 18/12/2023 16:05 &lt;DIR&gt; private 18/12/2023 16:02 2,094 subca.conf 18/12/2023 16:04 4,484 subca.crt 18/12/2023 16:03 1,018 subca.csr 18/12/2023 16:08 4,552 testdevice.crt 18/12/2023 16:07 1,002 testdevice.csr 5 File(s) 13,150 bytes Directory of C:\NCS\AzureIoTCerts\subca\certs 18/12/2023 16:08 &lt;DIR&gt; . 18/12/2023 16:08 &lt;DIR&gt; .. 18/12/2023 16:08 4,552 EE3E911808A245024E9E824AC8F90B4E.pem 1 File(s) 4,552 bytes Directory of C:\NCS\AzureIoTCerts\subca\db 18/12/2023 16:08 &lt;DIR&gt; . 18/12/2023 16:08 &lt;DIR&gt; .. 18/12/2023 15:58 5 crlnumber 18/12/2023 16:08 120 index 18/12/2023 16:08 21 index.attr 18/12/2023 15:58 0 index.old 18/12/2023 16:08 34 serial 18/12/2023 15:58 34 serial.old 6 File(s) 214 bytes Directory of C:\NCS\AzureIoTCerts\subca\private 18/12/2023 16:05 &lt;DIR&gt; . 18/12/2023 16:05 &lt;DIR&gt; .. 18/12/2023 16:03 1,884 subca.key 18/12/2023 16:05 1,732 testdevice.key 2 File(s) 3,616 bytes Total Files Listed: 27 File(s) 39,794 bytes 26 Dir(s) 101,159,108,608 bytes free</pre></p> <p>2. Upload&nbsp;<span>subordinate CA certificate&nbsp;</span>C:\NCS\AzureIoTCerts\rootca\certs<span>\</span>88A8F7A2E59F52BF8F8EA450CDBB1260.pem to IoT Hub or DSP&nbsp;<strong>Certificates page.</strong></p> <p><span>3. Copy and write the following keys into the device.</span></p> <p><span>Server rootCA:&nbsp;&nbsp;DigiCertGlobalRootG2.crt.pem or&nbsp; BaltimoreCyberTrustRoot.crt.pem</span></p> <p><span>Client certificate:&nbsp;&nbsp;C:\NCS\AzureIoTCerts\subca\certs\EE3E911808A245024E9E824AC8F90B4E.pem</span></p> <p><span>Client private key:&nbsp;C:\NCS\AzureIoTCerts\subca\private\testdevice.key</span></p> <p><span>Program AT client or SLM sample first, then use Certificate Manager to write keys.</span></p> <p><span><img style="max-height:240px;max-width:640px;" alt=" " src="https://devzone.nordicsemi.com/resized-image/__size/1280x480/__key/communityserver-discussions-components-files/4/3312.program-SLM.png" /></span></p> <p><span><img style="max-height:240px;max-width:640px;" alt=" " src="https://devzone.nordicsemi.com/resized-image/__size/1280x480/__key/communityserver-discussions-components-files/4/6545.certificateManager.png" /></span></p> <p><span><img style="max-height:240px;max-width:640px;" alt=" " src="https://devzone.nordicsemi.com/resized-image/__size/1280x480/__key/communityserver-discussions-components-files/4/4073.nRF-Serial-Terminal.png" /></span></p> <p><span>If you are testing IoT Hub without DSP, remember to set the following configuration</span></p> <div> <div> <div> <div><span>CONFIG_AZURE_IOT_HUB_DEVICE_ID</span><span>=</span><span>&quot;testdevice&quot; # same as&nbsp;Subject Common Name (CN) field when you generate certificates</span></div> </div> </div> <div><span>CONFIG_AZURE_IOT_HUB_HOSTNAME</span><span>=</span><span>&quot;&quot;</span></div> <div><span></span></div> <div><span>Just let me know if there is anything else you feel confused.</span></div> </div> <p><span>Best regards,</span></p> <p><span>Charlie</span></p> <p><span></span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461223?ContentTypeID=1Wed, 20 Dec 2023 08:56:04 GMT137ad170-7792-4731-bb38-c0d22fbe4515:8bc29be2-a15c-4525-98a3-1e5958cb84deThomas<p>A few questions (I think I have tried the different combinations, but....)</p> <p>When uploading a certificate to Azure IoT hub certificates list, are you using the PEM file with only the generated <span>s</span><span>ubordinate&nbsp;</span>certificate or a manually combined file with the certificate section for both <span>s</span><span>ubordinate&nbsp;</span>and slef-signed&nbsp;root CA?</p> <p>When adding your testdevice do you set authentificate to &quot;X.509 Self-Signed&quot; or &quot;X.509 CA Signed&quot;?</p> <p>If you&nbsp;select&nbsp;&quot;X.509 Self-Signed&quot;, what secondary thump print do you use?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461212?ContentTypeID=1Wed, 20 Dec 2023 07:44:06 GMT137ad170-7792-4731-bb38-c0d22fbe4515:1f05b66b-2de7-4d59-b375-38431af9e84fThomas<p>Hi Charlie</p> <p>Thanks a lot for the effort :-)</p> <p>Unfortunately I am still unable to connect.&nbsp;</p> <p>Could you share the test certificates and the exact way you register them?</p> <p>I do know about the Baltimore/Digicert certificate change as I have several other device types and many devices running on the IoT Hub. The IoT hub I want to connect to is still using the Baltimore certificate. So I am registering this as&nbsp; CONFIG_MQTT_HELPER_SEC_TAG. The certificates (PEM) was downloaded from a Microsoft page with a description of the two certificates.</p> <p>I am now going to spin up a new test IoT Hub in a region where I know it will run Digicert and test that situation.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/461093?ContentTypeID=1Tue, 19 Dec 2023 14:23:40 GMT137ad170-7792-4731-bb38-c0d22fbe4515:d47b5d70-1aea-474c-835e-2fe71042709fCharlie<p>Hi Thomas,</p> <p>Here is the brief report from my tests.</p> <p>1) No DSP</p> <p>I got the same -111 error as you did on the first try, but when I&nbsp;replaced BaltimoreCyberTrustRoot.crt.pem with&nbsp;<span>DigiCertGlobalRootG2.crt.pem&nbsp;as root CA or&nbsp;set&nbsp;DigiCertGlobalRootG2.crt.pem rootCA, client certificate and private key in second security tag 11,</span></p> <p><span>then the issue is solved.</span></p> <p><span><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/azureIoT_5F00_NO_5F00_DPS.log">devzone.nordicsemi.com/.../azureIoT_5F00_NO_5F00_DPS.log</a></span></p> <p><span>2) With DSP</span></p> <p><span>I test with BaltimoreCyberTrustRoot.crt.crt.pem&nbsp;as root CA, client certificate and private key in security tag 10&nbsp;and set&nbsp;DigiCertGlobalRootG2.crt.pem rootCA, client certificate and private key in second security tag 11, also set&nbsp;</span><span>CONFIG_AZURE_IOT_HUB_DEVICE_ID</span><span>=</span><span>&quot;testdevice&quot; in prj.conf since &quot;the client certificate must have the value of its Subject Common Name (CN) field set to the value of the device ID.&quot; according to&nbsp;<a href="https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-test-certs?tabs=windows">Tutorial - Create and upload certificates for testing - Azure IoT Hub | Microsoft Learn</a>.</span></p> <p><span><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/azureIoT_5F00_DPS.log">devzone.nordicsemi.com/.../azureIoT_5F00_DPS.log</a><br /></span></p> <p><span>What I have observed is fit for the CA migration timeline you can find from the following page.&nbsp;BaltimoreCyberTrustRoot.crt.pem is not valid for IoT Hub any more after October 15, 2023, but still valid for DSP, until February 15, 2024.</span></p> <p><span><a href="https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169">Azure IoT TLS: Critical changes are almost here! (…and why you should care) - Microsoft Community Hub</a></span></p> <p><span><img style="max-height:240px;max-width:640px;" alt=" " src="https://devzone.nordicsemi.com/resized-image/__size/1280x480/__key/communityserver-discussions-components-files/4/RAMIoT_5F00_0_2D00_1671571540145.png" /></span></p> <p><span>Best regards,</span></p> <p><span>Charlie</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460893?ContentTypeID=1Mon, 18 Dec 2023 16:01:33 GMT137ad170-7792-4731-bb38-c0d22fbe4515:9b4e8cff-83ed-466f-921e-25592659b69cThomas<p>Great :-) Thanks a lot I will look forward to hearing the result :-)</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460892?ContentTypeID=1Mon, 18 Dec 2023 15:59:03 GMT137ad170-7792-4731-bb38-c0d22fbe4515:6524bfd5-02a5-4fb9-97c1-3eadfd3e30f3Charlie<p>Hi Thomas,</p> <p>I will give it a try tomorrow. I also feel there might be something wrong with the certificate writing.</p> <p>I&nbsp;would try with nRF Cloud first to see if there is something different when writing certificate keys.</p> <p>Best regards,</p> <p>Charlie</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460860?ContentTypeID=1Mon, 18 Dec 2023 14:31:40 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0d4769cc-5195-48a6-8de4-e1e7ed6ef51dThomas<p>Hi Charlie</p> <p>I have not tested different things to see if I can find a solution....</p> <p>I have gone through the the Microsoft tutorial on creating and uploading certificates from the beginning again. This was to test that I did not have a problem with the certificates. I have created new internal root CA, subordinate and device certificates.</p> <p>From this I have</p> <ul> <li>Internal root CA</li> <li>Subordinate certificate used for creating device certificates</li> <li>Device certificate(s)</li> <li>Device private key(s)</li> </ul> <p>I also have two other public certificates old and new IoT hub</p> <ul> <li>Baltimore</li> <li>DigiCert</li> </ul> <p>There are a number of different ways I can register these certificates in the device.... Is it possible that someone can describe this process from within the application.</p> <p>I think the only certificates needed in the device is</p> <ul> <li>Device certificate(s)</li> <li>Device private key(s)</li> <li>Baltimore</li> <li>DigiCert</li> </ul> <p>So I&#39;m doing:</p> <div> <div><span style="font-family:&#39;courier new&#39;, courier;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, digicert, sizeof(digicert));</span></div> </div> <div> <div><span style="font-family:&#39;courier new&#39;, courier;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG,MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, baltimore, sizeof(baltimore));</span></div> <div> <div> <div><span style="font-family:&#39;courier new&#39;, courier;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert));</span></div> <div> <div> <div><span style="font-family:&#39;courier new&#39;, courier;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT, devicecertpriv, sizeof(devicecertpriv))</span></div> </div> </div> </div> </div> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460541?ContentTypeID=1Fri, 15 Dec 2023 12:36:55 GMT137ad170-7792-4731-bb38-c0d22fbe4515:297d5ebf-2007-464b-b97a-abf809fcb739Thomas<p>I have now also tested connecting directly to the IoT Hub.</p> <p>Following the guide for certificates I have uploadede the generated root CA PEM file to the certificates list in the IoT Hub, then manually added the device and set the Authentification type to &quot;X.509 CA Signed&quot;.</p> <p>Same result, I still get a -111 error....</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460534?ContentTypeID=1Fri, 15 Dec 2023 12:18:35 GMT137ad170-7792-4731-bb38-c0d22fbe4515:65f28544-1732-41e5-ad51-da045cfaaec1Thomas<p>It seems to be exactly what I have done.</p> <p>I have created my own Root CA and uploaded it to the DPS and trusted it during updload.</p> <p>Following the recommended guide (<a href="https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-test-certs?tabs=linux">https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-test-certs?tabs=linux</a>), I have also created a subordinate CA and based on this created certificate files for the device.</p> <p>In the device I am registering certificates with:&nbsp;<strong>modem_key_mgmt&nbsp;</strong></p> <p>Since it is not working I am worried that the parameters for the modem_key_mgmt is wrong:</p> <p>Removin some code checks and certificates I have the following:</p> <div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">const char* const digicert = </span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;-----BEGIN CERTIFICATE-----\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;MrY=\n&quot;</span></div> <div><span style="font-family:&#39;courier new&#39;, courier;font-size:75%;">&quot;-----END CERTIFICATE-----&quot;;</span></div> </div> <p><span style="font-size:75%;"></span></p> <div> <div> <div></div> <span style="font-size:75%;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN,&nbsp; digicert, sizeof(digicert));</span></div> <div> <div> <div><span style="font-size:75%;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, baltimore, sizeof(baltimore))</span></div> <div> <div> <div><span style="font-size:75%;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT, devicecert, sizeof(devicecert))</span></div> </div> </div> </div> </div> </div> <div> <div><span style="font-size:75%;">modem_key_mgmt_write(CONFIG_MQTT_HELPER_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT, devicecertpriv, sizeof(devicecertpriv))</span></div> <div><span style="font-size:75%;"></span></div> <div><span>Since it is not working I am wondering about the sec_tag parameter CONFIG_MQTT_HELPER_SEC_TAG is this the correct use?</span></div> <div><span></span></div> <div><span>I have also the Baltimore certificate as you can see and the two device certificates are the content from the PEM files in the &quot;certs&quot; folder and the &quot;private&quot; folder from the example.</span></div> <div><span></span></div> <div><span>I get the -111 error during MQTT connect. Does this mean that it is only related to the DigiCert/Baltimore or would i fail with the samme error if it was device trust?</span></div> <div></div> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460526?ContentTypeID=1Fri, 15 Dec 2023 11:56:52 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a8e16e3d-c68a-4fc4-84ae-f62e7b3dbd50Thomas<p>Thanks a lot I did not find the other case when searching, so I will look&nbsp;on that and&nbsp;check the details.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460514?ContentTypeID=1Fri, 15 Dec 2023 10:28:45 GMT137ad170-7792-4731-bb38-c0d22fbe4515:478b7ada-6aa6-4c58-b412-e21d41c6f051Charlie<p>Hi Thomas,</p> <p>Thanks for checking with us. The error is also reported in the following case. Have you read through it before to find some hint?</p> <p><a href="https://devzone.nordicsemi.com/f/nordic-q-a/81795/sample-azure-iot-hub-thingy9-1/340244">(+) Sample Azure IoT Hub (Thingy9.1) - Nordic Q&amp;A - Nordic DevZone - Nordic DevZone (nordicsemi.com)</a></p> <p>Best regards,</p> <p>Charlie</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/460416?ContentTypeID=1Thu, 14 Dec 2023 15:43:58 GMT137ad170-7792-4731-bb38-c0d22fbe4515:bf52d077-621f-41e7-88e3-fc600014b2c5Thomas<p>I was wondering if the two root CA&#39;s should be saved as&nbsp;MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN instead, but it does not seem to make a difference.</p><div style="clear:both;"></div>