• State Not Answered
  • Replies 24 replies
  • Subscribers 74 subscribers
  • Views 2950 views
  • Users 0 members are here
Attachments (3) Download All
Nordic Case Info
  • Case ID: 319294
Options

API registration of certification for Azure IoT Hub / DPS

Thomas

I am trying to connect a custom device to the Azure IoT Hub using DPS service. Because I am using a custom board I am trying to write certificates to the modem using api calls to the modem_key_mgmg functions. Theses functions have a tag and a credential type.

But trying to get around the different certificates in use.and what tags and credential types i should use when writing the certificates.

I have registered Baltimore and DigiCert root CA certificates using the tag CONFIG_MQTT_HELPER_SEC_TAG and CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG and both of them with credential type set to MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT.

For the device certificate I am not really sure what the tag should be, so just set it to 12 for both types.

Then the private certificate is registered with type MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT.

But what about the public part? Should it be MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT?

Is the above at all correct? I am wondering about the tag field since I find no description except a reserrved tag for nRFCloud. Is it used somewhere in the Nordic libraries for Azure and has to have a specific value?

I am getting mqtt_helper, mqtt_connect, error: -111 when trying to connect.

  • 0 in reply to Charlie

    Another huge problem. I need two root CA in the device.

    I need both Baltimore and Digicert to exist in my device......

    My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.

    The current 3 certificates are downloaded with key 10.

    Should I just add 3 certificates with key 11 also replacing the CA for Baltimore with Digicert

  • 0 in reply to Thomas
    Thomas said:
    I wanted to validate what types are used in the 3 windows of Cellular Monitor...
    Certificate Manager windows correspond to the following tree types. NCS\v2.5.0\nrf\samples\cellular\http_update samples demonstrate how to properly write certificates in fw.
    MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN
    MODEM_KEY_MGMT_CRED_TYPE_PUBLIC_CERT
    MODEM_KEY_MGMT_CRED_TYPE_PRIVATE_CERT
    This is not suggested since it will occupy many memory sizes and is also not secure.
    Thomas said:
    My hub is currently running with Baltimore so to connect now I need Baltimore and at an unknown time it will change to Digicert. If I do not have both certificates in the device I will loose connection.

    Couldn't the two sets of keys stored in different secure tags solve your problem?

    My first test showed when Baltimore in CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.

    Best regards,

    Charlie

  • 0 in reply to Charlie

    How do I control which security tag is used. I have not found a way to do this?

  • 0 in reply to Charlie

    It seems that as soon as I register two root CA.

    DigiCert in tag CONFIG_MQTT_HELPER_SEC_TAG

    Baltimore in tag CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG 

    I cannot connect to any IoT hub anymore.....

    I am testing agains two different IoT hubs, one running with DigiCert and one running with Baltimore. Function was as expected as long as I only registered one CA on the CONFIG_MQTT_HELPER_SEC_TAG.

    I am validating this...

  • 0 in reply to Charlie
    Charlie said:
    My first test showed when Baltimore in CONFIG_MQTT_HELPER_SEC_TAG did not work, it would automatically switch to Digicert in CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG to build the connection.

    I cannot validate this. It seems this is not correct.

    Hang on.... maybe wrong conclusion....

    I moved from programming certificates using Cellular Monitor to programming certificates using modem_key_mgmt_write. This might be the problem....

    • Related
    Terms of service