Issue with provisioning device to communicate via TCP over TLS.https://devzone.nordicsemi.com/f/nordic-q-a/125626/issue-with-provisioning-device-to-communicate-via-tcp-over-tlsDear All, I am developing an application based on the nRF7002DK. I am using nRFConnect SDK v3.1.1. I am producing my own CA, server and client keys to be used for TLS, with the following commands: With these steps I am creating a CA certificate whichen-USTelligent Community 13Thu, 20 Nov 2025 14:10:45 GMTRE: Issue with provisioning device to communicate via TCP over TLS.https://devzone.nordicsemi.com/thread/554918?ContentTypeID=1Thu, 20 Nov 2025 14:10:45 GMT137ad170-7792-4731-bb38-c0d22fbe4515:49802030-5b45-451d-8c4a-deeab30e5bfbGiannis_Anastasopoulos<p>After some deeper investigation inside the MBEDTLS stack I found out that the handshake was failing at the point where it was checking the name of the server that I was passing in the&nbsp;<pre class="ui-code" data-mode="text">err = setsockopt(fd, SOL_TLS, TLS_HOSTNAME, TCP_SERVER_NAME, sizeof(TCP_SERVER_NAME) - 1);</pre><br />Since I was testing on a server running locally, the name of the server had the format 192.168.X.X, but the certificate that I was using to verify the server had another name on it. So the authentication was failing at that point.<br /><br />Thank you very much for the assistance <a href="https://devzone.nordicsemi.com/members/amanda">Amanda Hsieh</a>&nbsp;</p><div style="clear:both;"></div>RE: Issue with provisioning device to communicate via TCP over TLS.https://devzone.nordicsemi.com/thread/554811?ContentTypeID=1Wed, 19 Nov 2025 14:27:08 GMT137ad170-7792-4731-bb38-c0d22fbe4515:9ce27c35-a43b-424d-a717-ec15552da709Giannis_Anastasopoulos<p><a href="https://devzone.nordicsemi.com/members/amanda">Amanda Hsieh</a>&nbsp;<br /><br /><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/test_5F00_fixed_5F00_certs.zip">devzone.nordicsemi.com/.../test_5F00_fixed_5F00_certs.zip</a><br /><br />In the zip file you can find the certificates I have created with openssl as well as the commands that I have used to debug the TLS communication.<br /><br />When I am using the openssl client I am able to complete the handshake and communicate with the server:<br /><br /><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/log_5F00_success.txt">devzone.nordicsemi.com/.../log_5F00_success.txt</a><br /><br />When I try to do the same with the nRF7002DK, the server is rejecting the certificate like this:<br /><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/log_5F00_failure.txt">devzone.nordicsemi.com/.../log_5F00_failure.txt</a><br /><br />My project currently can be stripped down to this:<br /><br /><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/nRF7002DK_5F00_tcp_5F00_client.zip">devzone.nordicsemi.com/.../nRF7002DK_5F00_tcp_5F00_client.zip</a><br />I hope this information helps you to guide me through this issue</p><div style="clear:both;"></div>RE: Issue with provisioning device to communicate via TCP over TLS.https://devzone.nordicsemi.com/thread/554704?ContentTypeID=1Tue, 18 Nov 2025 17:56:59 GMT137ad170-7792-4731-bb38-c0d22fbe4515:aefc7d93-10fe-43ea-9c62-2c419443c7caGiannis_Anastasopoulos<p>&nbsp;<a href="https://devzone.nordicsemi.com/members/amanda">Amanda Hsieh</a>&nbsp;</p> <p>Thank you again for your response.</p> <p>In my ticket I am describing how I am testing my openssl server. Is this test not adequate?</p> <p></p> <p>Any specific suggestions on what and how to test things out?</p> <p></p> <p>Does my proj.onf&nbsp; and my code snippets make sense ?</p><div style="clear:both;"></div>RE: Issue with provisioning device to communicate via TCP over TLS.https://devzone.nordicsemi.com/thread/554702?ContentTypeID=1Tue, 18 Nov 2025 17:48:00 GMT137ad170-7792-4731-bb38-c0d22fbe4515:cccda53c-a8e3-45cf-bf59-ef021ee91680Amanda Hsieh[quote user="Giannis_Anastasopoulos"]Could it be that I am doing something wrong with how I am starting the openssl server and it is not acknowledging properly the CA certificate?[/quote] <p>That might be possible. You could test and verify the&nbsp;<span>CA certificate with the openssl server.&nbsp;</span></p><div style="clear:both;"></div>RE: Issue with provisioning device to communicate via TCP over TLS.https://devzone.nordicsemi.com/thread/554632?ContentTypeID=1Tue, 18 Nov 2025 07:36:31 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ebcdccd3-d7b8-48af-a7a1-c423ff842ffdGiannis_Anastasopoulos<p><a href="https://devzone.nordicsemi.com/members/amanda">Amanda Hsieh</a>&nbsp;<br /><br />Thank you very much for your response. The certificates I am producing from the above process are already in .pem format (I believe).<br /><br />These are the certificates I am testing with:<br /><br />server.crt<br /><pre class="ui-code" data-mode="text">-----BEGIN CERTIFICATE----- MIIDcjCCAlqgAwIBAgIUd/2REbWOCyVx33u8j5MvJsj8FOswDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTExMTgwNzI5MDVaFw0zMDEw MjMwNzI5MDVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDGGPcaLKkbxcoFiQRoU0dI8ZSs7iiSt+7OteCDsBIV F46+0vHAaIQxil6CFThHYRixufUYFLws/Y70UM3hJhMqL7kOqA2+JbAj8KeIYdJJ JgxU2rKdkvwimHt0nn6eMRIb+c0a0Rf6eGCm17w1Hfr9Za+SkqR+NG30l/KsRed2 b38JlWmmJYCGO0vn/HXt9Jjd93If+sZLboBbK3N6ht9ZmfZSIlC7J9nzOzwuYR/c BEWFe+y/9O7DisDYY70E4DGGSxQqk8ldRXTSCZOQIGJQYbjDOzDzbn065lYMbTC5 kjijhaqxPc4ohVK1CS57jCOB87toP+jEa48ysLXnHdDnAgMBAAGjWjBYMB8GA1Ud IwQYMBaAFLr0TGsu1retORf7CwDSZLsXTsN3MAkGA1UdEwQCMAAwCwYDVR0PBAQD AgTwMB0GA1UdDgQWBBTCM9NJSePhUyGMKkvSakXIIWJcCjANBgkqhkiG9w0BAQsF AAOCAQEASlOeVZrb9+G8jyqBczlUOFdJ4XlWjG5KEVW6f0lEKIEefngYfdndqNkR qQ5UvNXjdoaZn4hhNmeebXBAb2yGdScuE3W60a4e2Dj7nN6kAmHMuTjMhnGfSpPz nfPeLxOHYNT8gPHhX36ZhfFS5NzjFsswEg67SJsK5ik2NeJKEd9BglW8VHDZa8bP pIkyG1jYHD3UYXbQ1//DrK3oGl7pckpVbyXzTiOufWu3t9q4OMWROC0AkQKWFMxs kkKUWkIoMJlm49OW8ziN5mCyqmVdvi4nUI24olpaoWaTDNVD42WzS9h4HtMMILI4 RWPWh8YQTnEy3UMLT40xTulzEhPXww== -----END CERTIFICATE----- </pre><br />server_rsa.key<br /><pre class="ui-code" data-mode="text">-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGGPcaLKkbxcoF iQRoU0dI8ZSs7iiSt+7OteCDsBIVF46+0vHAaIQxil6CFThHYRixufUYFLws/Y70 UM3hJhMqL7kOqA2+JbAj8KeIYdJJJgxU2rKdkvwimHt0nn6eMRIb+c0a0Rf6eGCm 17w1Hfr9Za+SkqR+NG30l/KsRed2b38JlWmmJYCGO0vn/HXt9Jjd93If+sZLboBb K3N6ht9ZmfZSIlC7J9nzOzwuYR/cBEWFe+y/9O7DisDYY70E4DGGSxQqk8ldRXTS CZOQIGJQYbjDOzDzbn065lYMbTC5kjijhaqxPc4ohVK1CS57jCOB87toP+jEa48y sLXnHdDnAgMBAAECggEAMxQr3v1mC2m4Gi5GyymyB053YhG0t4Qi2P0Pq5UCTJr6 7RxSRqUMdQOzM8KJ9OnF5snGt1NdZBJrQnb1ZxkctvOAOZW+mWl5XgMHB8UFZmQf qN+NT9EfH0KHDr5xcpO/kiQarU/96VERxuN4vY+B8MW//EDAlmQpd/iYE7CgqqpH bqobbcZFK2p50h7mSHtpScUol/33hT65ekI0crxgVeHz7RY+r/MWhh8KEv78hSIM lk5MF08XhhUguWhsjUDlxPRCv3HFxErc8NEZJLENSUqkhI8ovPJDE3y1hTLV9JVZ Gn1dxDRS/iqCw4Wj607qHVwzDLmwKTzCJwDH9YpnMQKBgQD5e61TpO/y3pmiSlTE 0ghNRxeY7HxSAOeRDDzIxjF918llewxQu39eodZp+xUqvrteySj2g0vAYGkJcRdi TAPioeGd6zXaVjevvxSh0StPQ8cI3+ub6L7C8Z0vQg+JXYRLDDlmGKO56UJuPOW2 D6q++UflXMIORRc6WMJSfN5+twKBgQDLRaqrXPsAkwqbBo94N7/SC0JvNPw5LOoD 524AOwVSzvFf2roMHXmtrbR5F4Ejhbr6xdMM78C3124tf8b5JJhshsYarqVGqFS7 qeNwn9Cl+CGObX4GfjjtPqGpOiWdP6j6YxQudFFnsICHQVw4cHFhUWy14GVZ7TdE 7OoMdA0PUQKBgHfya3n8odS+C1WIsUrTxGQLGyBOCtOOVcdZ/9tz1pWvasfcqiYi j3FbE/BuZFXhz8oZoxUqOQBsGfQNKHX9IB0VQZkgXgr0St+3Wd8W5uC8MHRm3Ctg cl7dtXnkI/4iNRmz7eDVVdpreKHxq2umCqy4w0VWHIKp2yoVRJBOMtbvAoGBAMSd s1Kj0kmg8O44r0dqLUmfCHiGuL0ZG5YBId5pOGH7t2+vIqwbSpna3ikOuiPA87Yi 6Vym/zMT1wd9g9lzM1guGKqwaT9qDOOklVFX1DrlQpgAgpkHOEsKfNYyXzW14N2o PlocuqzgBcJOT0RsRs8KMmvODFqqX/50ZoL7MbKxAoGAZbfk2HAfl/GwoDl2gnyB h6XyCpFEnsFrklRjHnwVzQQmtywFCrXT3Uqas9TqRblM0+hOIzuQHR0lKvKoHX2w A97oY1pifNjI4f3RlB0qcoHD86bsl7xrSyxNpXIpcVVEn6d/0QyA4prL4PVqoXhN jWl6EPqxPt3YuDXzo1527wI= -----END PRIVATE KEY----- </pre><br />ca.crt<br /><pre class="ui-code" data-mode="text">-----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIUQ4WENFHWVJmvjkHhgHQWpQiAxZswDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTExMTQxNDQxMjZaFw0zMDEw MTkxNDQxMjZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCVHPNr+xEoUnujAxsSinPB056XZR+YFfm+psvUGjUA 74GvNYL0C89J+EU1TauEzVWzGDKqAurpsZHVx4N/F9AodB3zUrJ7wjQis/0m5KK1 dMsCTDc3s3vbk6/hzjwxDZtZeTFmUwYfB/GnnLztOTIYlIVxN61jFMWn0ZkY5TFl HkRptD3AO1Cz8UDjKBrKbWp8cgrOIsCHOsEkEqV7PT3o9BZ9p9QaJGV1ZXNu5zPi ckVfwblsLU+nNHn4jVrlolWDKINHm4nt61U5YmzCF6u3UC55+2QYYOphenLiIAGj zZdIm9ulGVJIp+67mL1snaBbYFQ/3D0FjHlv42hBalGXAgMBAAGjUzBRMB0GA1Ud DgQWBBTSfLH+yjanMzFUbig9wSJFxRaaHTAfBgNVHSMEGDAWgBTSfLH+yjanMzFU big9wSJFxRaaHTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAa EE8Ebnq8LlGsMW47x97mzOFxiaqQUdS8W76/nIdx60jIQuMPAzfzQzqfB5SWzukT XLCLp//izvcs9PxMmth7iucWjHaMKUjjQ2NsMfkEJyBx8wjNObTffr0LJzXNVNzS Qag+KHnBHZQcpvrQTE0mFqlHQpsah/FUldl5L7vGbBIPkR+VQ814nauwIvrilwMR 1kW7HHaI+WvpJCg4PBA4ubeC9VLEEoFPtGs9PEPz+c/u7HnYBKFyGlFnD4S0dq7/ 6Gd7Ml7ndD2xLs7kUaSYe4By2bB44ti3S6FjgnxeYSnrGsj5C0JcRwco1fQ4zlgt ZIKJDU1/WX5Fhvoj2iOw -----END CERTIFICATE-----</pre><br />client.crt</p> <p><pre class="ui-code" data-mode="text">-----BEGIN CERTIFICATE----- MIID1zCCAr+gAwIBAgIUd/2REbWOCyVx33u8j5MvJsj8FOwwDQYJKoZIhvcNAQEL BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTExMTgwNzI5MDhaFw0zMDEw MjMwNzI5MDhaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCs+IY2qPJ9x5S4INmxRvsULKV81W2YsRwwkFXIWWJd dLDaXbiyBqrqUb544dpm06ZESeNJMHcp50fLTOMT7zYfsGBWfmbdQuCDnTvUsdm1 flVmuWKSc2q01NY/irQXcJPhGN9YGevb8HIzFt8wRS9Fql2FxSBh3c5oV8jeXP7T gWBLW63B0h/UOPRvl1g1xkwBdZRsgRAujNWxDuKEFHiUs6067IDAd/IZKfibsTSY sERHozg8nJN55XIofzaaqjbihLyHIYI8Tu/piHYlS0VEODOKnqJska6ELOO9hLU/ HiT5GGkYqozL7K4uqN5K1dps9Jk4XAm5NCwa/Dk4RWk/AgMBAAGjgb4wgbswCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwLAYJYIZIAYb4QgENBB8WHUxvY2Fs IFRlc3QgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBToMkrB2Faf+7yOWjJx D4y4ZGsDZDAfBgNVHSMEGDAWgBS69ExrLta3rTkX+wsA0mS7F07DdzAOBgNVHQ8B Af8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3 DQEBCwUAA4IBAQCFkP5WpQg34CztavuEm5SFFYDWDk3oHbQK+mqyDF1yaB72CGa6 M7Ux8zU5gArSzbOVUIPIuywyZiOp3iOkK11/D9RjAe51yQCwNJHWLyVWpijXv73v UKxmGhW9+VFnM3/M+2P7d2xC2LeL+eZFzN/ocCn/0vDvq8O1HN+d2FpBA8/OVrVj X2D85DQDl1usERYXlCwuowBEY36soIHbu7x5wQZHNzUu6EtJX0TNfyqDzq5+wCVZ EIIE3WgRkAQ2OmEb4/W0W3gIR/WukUrmMgQJShJoS9eabqUpshCd/Eac+R/aojxg 3JKhNazXE+Y4nl+64q3Ce11cStUAoNuCkaFC -----END CERTIFICATE----- </pre><br /><br />client_rsa.key<br /><pre class="ui-code" data-mode="text">-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCs+IY2qPJ9x5S4 INmxRvsULKV81W2YsRwwkFXIWWJddLDaXbiyBqrqUb544dpm06ZESeNJMHcp50fL TOMT7zYfsGBWfmbdQuCDnTvUsdm1flVmuWKSc2q01NY/irQXcJPhGN9YGevb8HIz Ft8wRS9Fql2FxSBh3c5oV8jeXP7TgWBLW63B0h/UOPRvl1g1xkwBdZRsgRAujNWx DuKEFHiUs6067IDAd/IZKfibsTSYsERHozg8nJN55XIofzaaqjbihLyHIYI8Tu/p iHYlS0VEODOKnqJska6ELOO9hLU/HiT5GGkYqozL7K4uqN5K1dps9Jk4XAm5NCwa /Dk4RWk/AgMBAAECggEARO0d8n8dblDPKxZwGSwbVl06LsYPz8ZX4ORLQrSXtX0Q ElxBgrOUfR5I4/vAH7Scb17wMtScz7ZpjhJb9LAgpb0Pjrf8/pOtStUnp+idRC0N FAuww4I5lciwfY6kmCiUzSCvs3hU3AZzQ3eMRbx0C3NJpEo6zrToEP1WPoHZS+d8 +rh0OMyb+xTO9zBIs/iXJb4BVT3DHgLPaKStujCAWkfBOmQaTvXkTg2JjSrbwhd3 3sKDZoQ3fYJeVjxWQk3b6g/4BNzM863KtmE5CpOTXzR1EmUO77pSshdcwwU00Rzh Db4JRUj9Nd5MwLnFTWkG1dkWBti7rlk4bNkhE3VAYQKBgQDXT1Zzh4vOdP9AkAOZ M5NKMShfNzmPJf7ZWZdu7Qbte50Huuzl3lBaBPdJ3O9RaxEmL3bLjta4aPcjxsCg 18JnT2a+JmV4YjkWyEUTvgZL9qni1NJHIZESwKqGrIhhERnSK3+3fU++GsrEmLyO oaJDNnU0xjGd8vUeCJJWBUL2nwKBgQDNqNOLIsjNclUvDEyQyCo5CI1nhcH+cL4L NTDhAM5cOBuWQCfeBVbTSEQdkkiox5gC04RoAK6jYBQaBSl7hLTxZjtvXAaxKvvf UE57UZW874zzMxqNvUJPqXkSdbjzw1kPekS9PUlODH4f18MXR4ty9EqlULx8Br0W 3TvjtompYQKBgQCPmsP/dDWEMzaYGjW8NdEUV+skbpH+bwomb4H4IzFOrfbTVBJz Uq7nC47f/fLErBOZE2k5ZYDDKIdFnmeWH7Hy89uEEdn1zBVlo5enDkPm4JL4zped h77Z8hUKlAK2MxC0w/yAJp1MH1SEgZapzxaJm8XauCIZxhVEvdTUeNfr4wKBgFuw 8Jfw6zwFxIrUXfKS+5gwAvNrxEEPvPs8PM2kUVz2Ov5zHhMzqDFM3+mbRb/SNSjV awv/ed0nQe8T7BnA4fdakBcnHWix9Ffs8wCyMCNrXhkz6JvXDJB9y5f6Wnp71uI6 rhj9EQi2Myk5RibD5B1dY0ZvR4m4a2edPU1aHeghAoGAcD6/xMXUe5lQnxtXy4A2 vCpJkNvFpKYHX9EsztkRAnNj8PJ8Avs4ofkpEEwzLzdVyUv1lQ9B8vtJ5YXRmtFD LeN3Oe+kKcOKOMv4E1iHSP9QeK6Ho9NcRVftxilWYxelLaWlwVfazrKMU9wyYiWO fKSgE4Tvlzs7pL1HuKy2A6I= -----END PRIVATE KEY----- </pre><br /><br />I tried appending the Kconfigs you suggested, but without any improvements.<br /><br />Could it be that I am doing something wrong with how I am starting the openssl server and it is not acknowledging properly the CA certificate?</p><div style="clear:both;"></div>RE: Issue with provisioning device to communicate via TCP over TLS.https://devzone.nordicsemi.com/thread/554597?ContentTypeID=1Mon, 17 Nov 2025 19:44:50 GMT137ad170-7792-4731-bb38-c0d22fbe4515:5f64f9df-b68e-4457-9aaf-d19978cb2a97Amanda Hsieh<p>Hi,&nbsp;</p> <p>Error&nbsp;0x2700 is&nbsp;MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, which means that Certificate verification failed, e.g. CRL, CA or signature check failed.</p> <p>Could you try generating the certificates in .pem file by&nbsp;openssl and use it<span>?&nbsp;</span></p> <p><span>Also, try to add<br /></span></p> <p><span><pre class="ui-code" data-mode="text">CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384 CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384 CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y</pre></span></p> <p><span>Regards,<br />Amanda H.</span></p> <p><span></span></p><div style="clear:both;"></div>