NRF9160 Azure IoT hub DPS Certification Connection Rejected

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Mikael Jansson — Mon, 10 Mar 2025 10:17:06 GMT

I wrote this script to create modem keys, send them to Azure and prepare DPS for automatic registration.

It uses MQTT SEC TAG 42 and SECONDARY 43. Requires signing CA and CAs previously generated.

#!/bin/bash

DEFAULT_MODEM_PORT="/dev/tty.usbserial-B002XPXB"
MODEM_PORT=
RESGROUP="<My-IoT-ResourceGroup>"
HUBNAME="<My-IoTHub>"
CERTNAME="my_root_ca"
IOTHUB_URL="<my-iot-hub>.azure-devices.net"
ENROLLMENT_NAME="<my-enrollment>"
DPS="<my-dps>"
SEC_TAG=42 # for GlobalSign G2 root CA
SECONDARY_SEC_TAG=43 # for legacy Baltimore root CA
TENANT="<my-tenant>"

check() {
    st=$1
    if [[ $st != 0 ]]; then
        echo "error occured: $st"

        echo "are you logged in? otherwise, run::"
        echo
        echo "    az login --scope https://management.core.windows.net//.default"
        exit $st
    fi
}

configure() {
    echo "********* (step 0) removing old client data: client-csr.der, client-csr.pem, client-cert.pem"
    rm -f certs/client-csr.der certs/client-csr.pem certs/client-cert.pem > /dev/null
    echo "********* (step 1) listing current data"
    nrfcredstore $MODEM_PORT list

    echo "********* (step 2) deleting old data: will create errors first time run on a device, disregard these."
    nrfcredstore $MODEM_PORT delete $SEC_TAG CLIENT_CERT > /dev/null
    nrfcredstore $MODEM_PORT delete $SEC_TAG CLIENT_KEY > /dev/null

    echo "********* (step 3) generating private key in device and output CSR in sec tag $SEC_TAG => certs/client-csr.der"
    nrfcredstore $MODEM_PORT generate $SEC_TAG certs/client-csr.der
    check $?

    #Convert the CSR from DER format to PEM format using the following command:
    echo "********* (step 4) convert CSR from DER to PEM => certs/client-csr.pem"
    openssl req -inform DER -in certs/client-csr.der -outform PEM -out certs/client-csr.pem
    check $?

    echo "********* (step 5) \"give\" the CSR client-csr.pem to sub-CA (sub-ca-key.pem, sub-ca-cert.pem) to generate client cert => certs/client-cert.pem"
    ./cert_tool.py sign 
    check $?

    DEVICE_CN=$(openssl x509 -in certs/client-cert.pem -noout -subject | sed -e 's/.*CN=\(.*\)/\1/g')
    [[ $DEVICE_CN != "" ]]
    check $?
    echo "********* (step 5.5) DEVICE_CN: $DEVICE_CN"
    az iot dps enrollment delete --enrollment-id $DEVICE_CN --resource-group $RESGROUP  --dps-name $DPS > /dev/null

    echo "********* (step 6) write signed client cert in sec tag $SEC_TAG => certs/client-cert.pem"
    nrfcredstore $MODEM_PORT write $SEC_TAG CLIENT_CERT certs/client-cert.pem
    check $?

    echo "********* (step 7) listing current credentials in sec tag $SEC_TAG"
    nrfcredstore $MODEM_PORT list | grep -w $SEC_TAG

    echo "********* (step 8) registering device-id my-device-revN-$DEVICE_CN using certs/client-cert.pem"

    az iot dps enrollment create --enrollment-id $DEVICE_CN --device-id "my-device-revN-$DEVICE_CN" \
    --provisioning-status enabled --resource-group $RESGROUP \
    --iot-hubs $IOTHUB_URL --attestation-type x509 \
    --certificate-path certs/client-cert.pem --dps-name $DPS \
    --allocation-policy static  > /dev/null
    check $?

    echo "********* (step 9) adding credentials for DigiCert and Baltimore"
    nrfcredstore $MODEM_PORT write $SEC_TAG ROOT_CA_CERT DigiCertGlobalRootG2.crt.pem
    check $?
    nrfcredstore $MODEM_PORT write $SECONDARY_SEC_TAG ROOT_CA_CERT BaltimoreCyberTrustRoot.crt.pem
    check $?

    echo "********* (step 10) listing current credentials in primary and secondary sec tags"
    nrfcredstore $MODEM_PORT list | grep -Ew '42|43'
    check $?
}

help() {
    echo "usage: $0 [--skip-install] [<modem port>]"
    echo
    echo "--skip-install:   don't install firmware"
    echo "<modem port>:     the port where the modem is connected, default $DEFAULT_MODEM_PORT"
    echo
    echo "requirements:"
    echo "- BaltimoreCyberTrustRoot.crt.pem"
    echo "- DigiCertGlobalRootG2.crt.pem"
    echo "ca/"
    echo "- root-ca-cert.pem"
    echo "- root-ca-key.pem"
    echo "- sub-ca-cert.pem"
    echo "- sub-ca-key.pem"
    echo
    echo "intermediates:"
    echo "certs/"
    echo "- client-cert.pem"
    echo "- client-csr.der"
    echo "- client-csr.pem"
    echo
    echo "Possible devices":
    ls -1 /dev/tty.*serial*
    exit 0
}

install_firmware() {
    GDB=/opt/nordic/ncs/toolchains/20d68df7e5//opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-gdb
    $GDB -q \
         -ex "target extended-remote /opt/bmp" \
         -ex "monitor swd_scan" -ex "att 1" \
         -ex "set confirm off" \
         -ex "load at_client/merged.hex" -ex "file at_client/zephyr.elf" \
         -ex "start" -ex "quit"

}

iothub_login() {
    az group list -o table > /dev/null
    if [[ "$?" != "0" ]]; then
        az login --tenant $TENANT --scope https://management.core.windows.net//.default
    fi
}

main() {
    if [[ "$1" == "--help" ]]; then
        help
    fi

    local INSTALL_FIRMWARE=1
    if [[ "$1" == "--skip-install" ]]; then
        INSTALL_FIRMWARE=0
        shift
    fi

    MODEM_PORT=$1
    if [[ ! -e $MODEM_PORT ]]; then
        echo "no modem port specified, using default $DEFAULT_MODEM_PORT"
        MODEM_PORT=$DEFAULT_MODEM_PORT
    fi

    source ~/.zephyrtools/venv-python3.13/bin/activate

    if [[ $INSTALL_FIRMWARE == 1 ]]; then
        install_firmware
        echo "Power reset the device and enter to continue"
        read
        sleep 1
    fi

    iothub_login

    configure 

    echo ""
    echo "Azure IoTHub Device Name: $DEVICE_CN"
}

main $*

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

jczacharia — Fri, 14 Feb 2025 01:01:09 GMT

Unfortunately not, I haven’t worked on the project in a few months so things might have changed on Azure since then.

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Neso — Thu, 13 Feb 2025 18:23:47 GMT

Hi. Did you find a solution to this?

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

jczacharia — Wed, 01 May 2024 17:31:28 GMT

Yes, I have done that. I can't seem to shake the -111 error (Is the device certificate valid?). I have a feeling it might be related to Azure DigiCert migration.

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Byter — Sun, 28 Apr 2024 08:00:46 GMT

Hello, I'm receiving the exact same issue. Followed the tutorial 1:1, copied the ETAG from the JSON response at each invocation and all. Not sure what the issue is at this point

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Mikael Jansson — Tue, 23 Apr 2024 10:32:01 GMT

Did you make sure to copy the ETAG from the JSON response for each invocation of "az iot hub"?

az iot hub certificate create --hub-name "$HUBNAME" --name "$CERTNAME" --path ca/root-ca-cert.pem

> read the ETAG, use in following command:

az iot hub certificate generate-verification-code --hub-name $HUBNAME --name MYROOTCA --etag "$ETAG"

> read the ETAG from the above command, use it in the following:

az iot hub certificate verify --hub-name $HUBNAME --name $CERTNAME --etag $ETAG2 --path certs/client-cert.pem

and so on.

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Charlie — Tue, 05 Mar 2024 14:02:51 GMT

Hi Jeremy,

Sorry to hear your struggling. I helped a customer with a similar issue three months ago and provide the details about my tests.

Could you refer to this ticket to see if it helps?

(+) API registration of certification for Azure IoT Hub / DPS - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com)

Best regards,

Charlie

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

jczacharia — Mon, 04 Mar 2024 19:26:34 GMT

Just as an update: I have successfully connected to AWS. Still have no idea why Azure doesn't recognize my certificates.

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Sigurd Hellesvik — Fri, 01 Mar 2024 13:35:57 GMT

[quote user="jczacharia"]Is there a direct line of contact with the Nordic engineering team to address this challenge efficiently?[/quote]

Although it is often normal to have first-line support, we in technical support here at Nordic are application engineers in R&D at the same level as the rest of our engineering team, and have similar competence.
That being said, you are onto something: Most of our nRF9160 experts are at a conference this week. I do not have the most experience in this topic, although I have indeed used Azure with both DPS and normal provisioning myself a couple of years ago.

Next week I will ask for help from the people back from the conference and we will see what we can figure out here.

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

jczacharia — Fri, 01 Mar 2024 03:35:45 GMT

I've tried it with:

SDK v2.5.2 - MFW 1.3.5
SDK v2.5.2 - MFW 1.3.6
SDK v2.5.1 - MFW 1.3.5
SDK v2.5.1 - MFW 1.3.6
SDK v2.5.99-dev1 - MFW 1.3.6
SDK v2.5.99-dev1 - MFW 1.3.5

I even tried this on a couple of brand-new nRF9160-DKs and same issue.

Though, connecting is nRF Cloud has been successful for all devices.

I was planning on creating a video going step by step but I feel as though it might be redundant since it's just going through the documentation.

Is there a direct line of contact with the Nordic engineering team to address this challenge efficiently?

I am working with a company that is entering the market with a custom IoT hardware product, which is built on the Nordic platform. Over the past few years, we have developed a deep appreciation for the robustness and versatility of this platform but seeing that Azure and Nordic are changing rapidly and are currently facing this firmware/certification issue that is hampering our progress. Despite diligently following the latest documentation, even including the new tutorial and cert_tool.py script released on February 29, 2024, we have been unable to resolve this issue, which we suspect may be external.

I would be more than willing to contribute to the software and documentation to get a sound solution to this seeing that others are having similar problems.

Any help will be met with reciprocation.

Thanks!

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Sigurd Hellesvik — Thu, 29 Feb 2024 14:02:36 GMT

Hi,

From https://infocenter.nordicsemi.com/topic/comp_matrix_nrf9160/COMP/nrf9160/nrf9160_modem_fw.html?cp=2_1_3_5:

I see you use modem firmware 1.3.5 with NCS 2.5.2.

Maybe this could be related?

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

jczacharia — Tue, 27 Feb 2024 17:00:38 GMT

I have followed the Azure IoT Hub tutorial and that is also where I got the Baltimore and DigiCert CA certificates from.

I tried using both the Baltimore and DigiCert individually and together in the CA certificate textarea in the Certificate Manager in the Cellular Monitor.

If I do not include the Balitmore certificate in the CA certificate, then I get the error:

[00:00:04.746,582] <err> mqtt_helper: mqtt_connect, error: -111
[00:00:04.746,612] <err> azure_iot_hub_dps: mqtt_helper_connect failed, error: -111
[00:00:04.746,612] <err> azure_iot_hub: azure_iot_hub_dps_start failed, error: -111
[00:00:04.746,643] <err> azure_iot_hub_integration: azure_iot_hub_connect, error: -111

Which looks like no connection is established whereas if I include the Baltimore certificate, I then get:

[00:00:08.990,051] <err> azure_iot_hub: Connection was rejected with return code 5
[00:00:08.990,081] <wrn> azure_iot_hub: Is the device certificate valid?
[00:00:08.990,081] <dbg> azure_iot_hub_integration: azure_iot_hub_event_handler: AZURE_IOT_HUB_EVT_CONNECTION_FAILED
[00:00:08.991,119] <wrn> azure_iot_hub: DISCONNECT, result: -111
[00:00:08.991,149] <dbg> azure_iot_hub_integration: azure_iot_hub_event_handler: AZURE_IOT_HUB_EVT_DISCONNECTED
[00:00:08.991,180] <dbg> cloud_module: cloud_wrap_event_handler: CLOUD_WRAP_EVT_DISCONNECTED
[00:00:08.991,241] <inf> app_event_manager: CLOUD_EVT_DISCONNECTED
[00:00:08.991,882] <err> mqtt_helper: Cloud MQTT input error: -111

That appears to establish some sort of connection but then gets rejected because the device certificate is not valid.

So following the Azure IoT Hub tutorial (for a single device; no DPS) that instructs me to use Create and upload certificates for testing, I then

take the Test Subordinate CA from rootca/certs and add that certificate as verified in the IoT hub certificates
create a device certificate called device-01 and put that device's certificate from subca/certs into the Client certificate textarea in the Certificate Manager in the Cellular Monitor (also tried including the Test Subordinate CA along with it)
add a new enabled device (non-IoT Edge) in the IoT hub called device-01 with X.509 CA Signed authentication type
take device-01's private key subca/private/device-01.key and put that in the Private key textarea in the Certificate Manager in the Cellular Monitor

I certainly feel like I have followed these tutorials very precisely but cannot get a proper connection.

I have been able to establish proper communication with the nRF Cloud so I know that the SIM card is working. However, I am not sure if having the device on nRF Cloud is affecting Azure communication.

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Sigurd Hellesvik — Tue, 27 Feb 2024 15:34:08 GMT

Can I suggest that you try with the Azure IoT Hub sample? This does only one thing, so fewer things can go wrong.

Secondly, a common error is to use the wrong of DigiCert and Baltimore certificates, as seen from our docs:

Also, where exactly did you get your Azure certificates from?

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

jczacharia — Mon, 26 Feb 2024 19:22:49 GMT

Yes, I have.

I followed this tutorial: developer.nordicsemi.com/.../azure_iot_hub.html

I have tried 3 different ways of creating credentials:

But have not been able to get any to work. I still always see the "Is the device certificate valid?" error.

My overlay-azure.conf for one device:

CONFIG_AZURE_IOT_HUB=y
CONFIG_AZURE_IOT_HUB_DPS=n
CONFIG_AZURE_IOT_HUB_AUTO_DEVICE_TWIN_REQUEST=y

# Increase the number of maximum message properties that can be parsed by the Azure IoT Hub library.
# Needed to be able to parse P-GPS responses.
CONFIG_AZURE_IOT_HUB_MSG_PROPERTY_RECV_MAX_COUNT=4

CONFIG_AZURE_IOT_HUB_HOSTNAME="******.azure-devices.net" # Replace with my IoT Hub hostname
CONFIG_AZURE_IOT_HUB_DEVICE_ID="device-01"

# MQTT helper library
CONFIG_MQTT_HELPER_RX_TX_BUFFER_SIZE=2048
CONFIG_MQTT_HELPER_STACK_SIZE=4096
CONFIG_MQTT_HELPER_SEC_TAG=11

# MQTT Transport library
# Maximum specified MQTT keepalive timeout for Azure IoT Hub is 1177 seconds.
CONFIG_MQTT_KEEPALIVE=1177

I have tried each combination of creating credentials from each above source with both DPS and single device using both the asset_tracker_v2 codebase and as well as the https://github.com/NordicSemiconductor/asset-tracker-cloud-firmware-azure codebase.

But no matter which combination I pick, I cannot get the certificates provisioned correctly to establish a valid communication.

RE: NRF9160 Azure IoT hub DPS Certification Connection Rejected

Sigurd Hellesvik — Mon, 26 Feb 2024 12:28:32 GMT

Hi,

Have you tried to connect your device to Azure IoT Hub without DPS?

Regards,
Sigurd Hellesvik