Format of certification files needed to use secure MQTT in nRF-9160 and nRF-9151

Question

Hi all,

Recently I am trying to start a secure MQTT connect between Rabbit MQ broker and nRF-9160 or nRF-9151.

nRF9160 is running Serial LTE Modem(SLM) application with v2.4.0 SDK , and nRF-9151 is also running SLM but under v2.7.0 SDK.

Broker was set to single way MQTTS with credentials applied from "let's encrypt" (or called simple MQTTS as I heard, which only clients would check server, server doesn't check client).

I'm now using PC tool "Cellular Monitor" to import certificate files, and according to the GUI, there could be CA certificate(CA) / Client Certificate(CC) / Private Key(PK).

My questions are:

According to ChatGPT (might not be correct...):
"when running simple MQTTS,
server needs CA certificate / Server Certificate / Server Private Key,
and clients need Client CA Certificate / Client Private Key, Client Certificate usually is not a must."
So... does server and clients both use the same CA certificate file? Does server and client need to have different private key file?
I've got 3 files named "cert.pem" "chain.pem" "privkey.pem" provided by server side colleague (I assume these are CA file, CC file and PK file).
However when I import them into SLM with cellular monitor tool, no matter if I feed CA only / CA + PK / CA + CC + PK, AT#XMQTTCON always returns "ERROR"(Any method to found reason of error?).
As I'm surfing trying to find some solution, I noticed that some company requires user to turn .pem files into one-line format before feeding them. So does \r and \n needed to remove before feeding my certificate file into SLM?

(Connection to MQTT port success, but connection to MQTTS port with <sec_tag> returns ERROR
I've noticed there are a command AT%KEYGEN. But I'm not sure if I need to use this and how do I use this.
As mentioned in question 1, do I have to generate a private key per client by it self or can it just use the same PK file as server?
If it is a must to generate a private key by each client themself, is this the correct command I should use?
The first purpose stated in the page "Client private key and certificate signing request (CSR) (<key_type> 2, <response_content> 0)" seems kind of like what I need, as it says it could be used for TLS credential. But 1st how does it know which CA should it try to apply client certificate + private key (could CA certificate file help?), 2nd we are only doing simple MQTTS so we might not need the generated client certificate, would "extra certificate file" be a concern or we may just ignore it?

Alan-Ni · Accepted Answer

Hi &Oslash;yvind, 
 I've tried again, and it worked this time. 
 It turns out the real problem was not the certificate, but the URL. 
 I've been using IP to start connection back when I'm connecting to the non-secure MQTT port, b ut the secure port was set to only accept connection using hostname. 
 Anyway, I'm able to start the one way secure MQTT with nRF-9160(2.4.0SDK) and nRF-9151(2.7.0SDK) SLM now. 
 Thanks for the help!! 
 
 --------------------------- 
 Below is my simple summary and the log of success connection. 
 For starting a one way secure MQTT connection as client, I need to provide "Root CA"(not CA, not CC, not intermediate CA or any other, but "Root" CA only). 
 In my case, the certificates used by MQTTS broker was applied from Let's Encrypt, so I have to prepare the Let's Encrypt root CA -- ISRG root X1. It could be downloaded directly from their website. 
 I've downloaded the .pem format version, and tested to import the original file or the "one line" version(hand edit to remove CR LF), both worked well. 
 Here is the log (I've replace the account / password/ hostname with star). 
 Ready > AT+CFUN=4 OK > AT%CMNG=1 %CMNG: 16842753,0,"2C43952EE9E000FF2ACC4E2ED0897C0A72AD5FA72C3D934E81741CBD54F05BD1" %CMNG: 16842753,1,"B5CC275CEF820E6D3AE874BB0A3876719D2C4E92AE9A825FF253CC10A2B3B604" %CMNG: 16842753,2,"EF7DEF697E9778C213F1E39F6ED34E0A686B8F475826E9286B6FD594B69035D4" %CMNG: 4294967292,11,"672E2F05962B4EFBFA8801255D87E0E0418F2DDF4DDAEFC59E9B4162F512CB63" %CMNG: 4294967293,10,"2C43952EE9E000FF2ACC4E2ED0897C0A72AD5FA72C3D934E81741CBD54F05BD1" %CMNG: 4294967294,6,"ABF134FC1313E3D2ABF1DE5B9426AF7A9E8A177A6B35A2B0FAD6A8EB0952B424" OK > AT%CMNG=0,0,0,"-----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELB QAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3 QgWDEwHhcNMTUwNjA0MTEwNDM4 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu ZXQgU2VjdXJpdHk gUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfz m54rVygc h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZ myPfjxwv60pIgbz5MDmgK7iS4+3mX6U A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW T8KOEUt+zw vo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RC OFvu396j3x+UC B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv KBds0pjBqAlkd25HN7rOrFleaJ1/ ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn jh8BC NAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4h VC1CLQJ13hef4Y53CI rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1U dDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL u bhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mv oiBOv/2X/qkSsisRcOj/KK NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 ORAzI4JMPJ+GslWYHb4 phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8 NwdC jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMl jq4Ui0/1lvh+wjChP4kqKOJ2qxq 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA mRGunUHBcnWEvg JBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5 iItreGCc= -----END CERTIFICATE-----" OK > AT%CMNG=1 %CMNG: 0,0,"BD6681410FB05ECD2B414AFA3B02E285132CD289F9CAD10E5C850FC9888E576E" %CMNG: 16842753,0,"2C43952EE9E000FF2ACC4E2ED0897C0A72AD5FA72C3D934E81741CBD54F05BD1" %CMNG: 16842753,1,"B5CC275CEF820E6D3AE874BB0A3876719D2C4E92AE9A825FF253CC10A2B3B604" %CMNG: 16842753,2,"EF7DEF697E9778C213F1E39F6ED34E0A686B8F475826E9286B6FD594B69035D4" %CMNG: 4294967292,11,"672E2F05962B4EFBFA8801255D87E0E0418F2DDF4DDAEFC59E9B4162F512CB63" %CMNG: 4294967293,10,"2C43952EE9E000FF2ACC4E2ED0897C0A72AD5FA72C3D934E81741CBD54F05BD1" %CMNG: 4294967294,6,"ABF134FC1313E3D2ABF1DE5B9426AF7A9E8A177A6B35A2B0FAD6A8EB0952B424" OK > AT+CEREG=1 OK > AT+CFUN=1 OK +CEREG: 2 +CEREG: 1 > AT+CEREG? +CEREG: 1,1 OK > AT#XMQTTCFG="client_0012768",30,0 OK > AT#XMQTTCON=1,"********","********","********",8883,0 OK #XMQTTEVT: 9,0 > AT+CGMR mfw_nrf91x1_2.0.1 OK #XMQTTEVT: 9,0 > AT#XMQTTCON=0,"********","********","********",8883,0 #XMQTTEVT: 1,0 OK > AT#XMQTTCON=1,"********","********","********",8883,0 OK #XMQTTEVT: 0,0 #XMQTTEVT: 9,0 #XMQTTEVT: 9,0 > AT#XMQTTPUB="TEST","ABCDEFG",0,0 OK #XMQTTEVT: 9,0 > AT#XMQTTPUB="TEST","ABCDEFG",0,0 OK #XMQTTEVT: 9,0 > AT#XMQTTPUB="TEST","ABCDEFG",0,0 OK #XMQTTEVT: 9,0

Format of certification files needed to use secure MQTT in nRF-9160 and nRF-9151

Top Replies