Firebase connection with nrf5340 and nrf7002 shield

RE: Firebase connection with nrf5340 and nrf7002 shield

Epasta — Tue, 13 Jan 2026 15:35:35 GMT

Hi and thank you very much for your response.

Thanks to your valuable advice, I was able to solve the problem.

This is the third project I’m developing for Nordic, and the support you provide is truly invaluable, which is why I always choose Nordic whenever I can.

I would like to add the following information.
In the past, I had already tried using the WR2 certificate, but if I remember correctly, I encountered an error during the handshake.

To solve the problem, I followed the instructions I found in the link from your response.
I am very grateful because I don’t have much experience with the HTTPS protocol, and your advice was EXTREMELY IMPORTANT. I had also tried asking my colleagues and friends, but none of them had considered this point.

I have one last question:
I noticed that disabling BLE makes the HTTPS protocol work much better, does that match with your experience?
For me, disabling BLE is not a problem; it’s just information to better understand how it works.

Thanks again for everything.
Best regards,

RE: Firebase connection with nrf5340 and nrf7002 shield

Syed Maysum Abbas Zaidi — Tue, 13 Jan 2026 10:40:08 GMT

Hi,

Thanks for sharing the certificate chain and details. From the openssl output, the Firebase Functions server presents a chain where the intermediate CA (WR2) uses an RSA-2048 key, and the root CA you provisioned (GTS Root R1) uses an RSA-4096 key. The Amazon DevAcademy example works because it uses an RSA-2048 root CA, which fits within the default limits. When using an RSA-4096 root CA, it can fail already while loading/parsing the certificate, which matches the error you see.

To move forward, there are two options. Option 1 is to provision the intermediate CA instead of the root:

Subject: C=US, O=Google Trust Services, CN=WR2
Key size: RSA-2048

Convert and include this certificate the same way as in the DevAcademy exercise and retry. This usually works without any additional TLS configuration changes.

Option 2 if you prefer to keep using the RSA-4096 root CA, then you will need to increase TLS/mbedTLS limits to support 4096-bit RSA keys (for example, increasing the mbedTLS heap and MPI size). If you want to go this route, you may check out the configurations mentioned in this related devzone case.

Best Regards,
Syed Maysum

RE: Firebase connection with nrf5340 and nrf7002 shield

Epasta — Sun, 11 Jan 2026 12:42:19 GMT

Hello and thank you very much for your reply.

My host name is the following:
us-central1-project-fcce5.cloudfunctions.net

Below is what I receive from the SSL call
(openssl s_client -connect <hostname>:443 -servername <hostname> -showcerts)

CONNECTED(000001B8)
---
Certificate chain
 0 s:CN=misc.google.com
   i:C=US, O=Google Trust Services, CN=WR2
   a:PKEY: EC, (prime256v1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Dec  3 15:50:23 2025 GMT; NotAfter: Feb 25 15:50:22 2026 GMT
-----BEGIN CERTIFICATE-----
MIIiWjCCIUKgAwIBAgIQbfyHOPZkJ7cK2IqmGMcRxzANBgkqhkiG9w0BAQsFADA7
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQww
CgYDVQQDEwNXUjIwHhcNMjUxMjAzMTU1MDIzWhcNMjYwMjI1MTU1MDIyWjAaMRgw
FgYDVQQDEw9taXNjLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AAQYZ70FeDJ+nwApeV76UWeyA8Jz2d+mPzt2Tj2iVXm/M85X6JY2XUT+/4zSZkjJ
jCJjJpKOhoc+8EYuWe179Tlto4IgRDCCIEAwDgYDVR0PAQH/BAQDAgeAMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFM4VEPWkgcM9
wUzQ5jH2uK6S+Vm8MB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgG
CCsGAQUFBwEBBEwwSjAhBggrBgEFBQcwAYYVaHR0cDovL28ucGtpLmdvb2cvd3Iy
MCUGCCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93cjIuY3J0MIIeGQYDVR0R
BIIeEDCCHgyCD21pc2MuZ29vZ2xlLmNvbYIUKi5hY3Rpb25zLmdvb2dsZS5jb22C
FSouYmFzZWxpbmUuZ29vZ2xlLmNvbYIWKi5kZXZlbG9wZXIuZ29vZ2xlLmNvbYIX
Ki5kZXZlbG9wZXJzLmdvb2dsZS5jb22CESouZXdvcS5nb29nbGUuY29tghEqLmFy
dnIuZ29vZ2xlLmNvbYIVKi5maXJlYmFzZS5nb29nbGUuY29tghAqLmdncC5nb29n
bGUuY29tghkqLnBlcnNvbmZpbmRlci5nb29nbGUub3JnghEqLnF1aWNrb2ZmaWNl
LmNvbYITKi5zcGVlY2guZ29vZ2xlLmNvbYIsKi5zdG9yYWdlLW5pZ2h0bHktdGVz
dC5nb29nbGV1c2VyY29udGVudC5jb22CNCouc3RvcmFnZS1wcmVwcm9kLXRlc3Qt
dW5pZmllZC5nb29nbGV1c2VyY29udGVudC5jb22CLCouc3RvcmFnZS1zdGFnaW5n
LXRlc3QuZ29vZ2xldXNlcmNvbnRlbnQuY29tgikqLnN0b3JhZ2UtdGVzdC10ZXN0
Lmdvb2dsZXVzZXJjb250ZW50LmNvbYIUKi5zdXBwb3J0Lmdvb2dsZS5jb22CDiou
d2lkZXZpbmUuY29tghYqLnN0YWdpbmcud2lkZXZpbmUuY29tghIqLnVhdC53aWRl
dmluZS5jb22CGioudWF0LW5pZ2h0bHkud2lkZXZpbmUuY29tghNhbHBoYWdlbm9t
ZWRvY3MuY29tghhhbHBoYWdlbm9tZWNvbW11bml0eS5jb22CDGFkZ29vZ2xlLm5l
dIIOKi5hZGdvb2dsZS5uZXSCCmFkbWVsZC5jb22CDCouYWRtZWxkLmNvbYIXYWR2
ZXJ0aXNlcmNvbW11bml0eS5jb22CG3d3dy5hZHZlcnRpc2VyY29tbXVuaXR5LmNv
bYIYYWR2ZXJ0aXNlcnNjb21tdW5pdHkuY29tghoqLmFkdmVydGlzZXJzY29tbXVu
aXR5LmNvbYIVYWR3b3Jkcy1jb21tdW5pdHkuY29tghcqLmFkd29yZHMtY29tbXVu
aXR5LmNvbYISYWR3b3Jkc2V4cHJlc3MuY29tghQqLmFkd29yZHNleHByZXNzLmNv
bYILYW1pZS5nb29nbGWCDSouYW1pZS5nb29nbGWCD2FuZ3VsYXJkYXJ0Lm9yZ4IR
Ki5hbmd1bGFyZGFydC5vcmeCDGFwcGJyaWRnZS5jYYIOKi5hcHBicmlkZ2UuY2GC
DGFwcGJyaWRnZS5pb4IOKi5hcHBicmlkZ2UuaW+CDGFwcGJyaWRnZS5pdIIOKi5h
cHBicmlkZ2UuaXSCCmFwdHVyZS5jb22CDCouYXB0dXJlLmNvbYIRYmVhdHRoYXRx
dW90ZS5jb22CEyouYmVhdHRoYXRxdW90ZS5jb22CCWJsaW5rLm9yZ4ILKi5ibGlu
ay5vcmeCCmJyb3RsaS5vcmeCDCouYnJvdGxpLm9yZ4INYnVtcHNoYXJlLmNvbYIP
Ki5idW1wc2hhcmUuY29tggpidW1wdG9wLmNhggwqLmJ1bXB0b3AuY2GCDWJ1bXB0
dW5lcy5jb22CDyouYnVtcHR1bmVzLmNvbYILYnVtcHRvcC5jb22CDSouYnVtcHRv
cC5jb22CC2J1bXB0b3AubmV0gg0qLmJ1bXB0b3AubmV0ggtidW1wdG9wLm9yZ4IN
Ki5idW1wdG9wLm9yZ4IWYnVzaW5lc3Njb25uZWN0Lmdvb2dsZYIYKi5idXNpbmVz
c2Nvbm5lY3QuZ29vZ2xlghBjYW1wdXNsb25kb24uY29tghIqLmNhbXB1c2xvbmRv
bi5jb22CHGNlcnRpZmljYXRlLXRyYW5zcGFyZW5jeS5vcmeCHiouY2VydGlmaWNh
dGUtdHJhbnNwYXJlbmN5Lm9yZ4IKY2hyb21lLmNvbYIMKi5jaHJvbWUuY29tgg5j
aHJvbWVjYXN0LmNvbYIQKi5jaHJvbWVjYXN0LmNvbYIMY2hyb21pdW0ub3Jngg4q
LmNocm9taXVtLm9yZ4IVKi5pc3N1ZXMuY2hyb21pdW0ub3JnghljbGlja3NlcnZl
LmRhcnRzZWFyY2gubmV0ghxjbGlja3NlcnZlLnVrLmRhcnRzZWFyY2gubmV0ghxj
bGlja3NlcnZlLmV1LmRhcnRzZWFyY2gubmV0gh1jbGlja3NlcnZlLnVzMi5kYXJ0
c2VhcmNoLm5ldIIZY2xpY2tzZXJ2ZXIuZ29vZ2xlYWRzLmNvbYIWY2xvdWRidXJz
dHJlc2VhcmNoLmNvbYIYKi5jbG91ZGJ1cnN0cmVzZWFyY2guY29tghJjbG91ZGZ1
bmN0aW9ucy5uZXSCFCouY2xvdWRmdW5jdGlvbnMubmV0ghFjbG91ZHJvYm90aWNz
LmNvbYITKi5jbG91ZHJvYm90aWNzLmNvbYIaY29kZWFzc2lzdC1hdXRvcHVzaC5n
b29nbGWCGWNvZGVhc3Npc3Qtc3RhZ2luZy5nb29nbGWCEWNvZGVhc3Npc3QuZ29v
Z2xlgg1jb25zY3J5cHQuY29tgg8qLmNvbnNjcnlwdC5jb22CDWNvbnNjcnlwdC5v
cmeCDyouY29uc2NyeXB0Lm9yZ4IRY29va2llY2hvaWNlcy5vcmeCFXd3dy5jb29r
aWVjaG9pY2VzLm9yZ4IJY29vdmEuY29tggsqLmNvb3ZhLmNvbYIJY29vdmEubmV0
ggsqLmNvb3ZhLm5ldIIJY29vdmEub3JnggsqLmNvb3ZhLm9yZ4IUY29udGFjdGNl
bnRlci5nb29nbGWCFiouY29udGFjdGNlbnRlci5nb29nbGWCGmNyZWF0b3JhY2Fk
ZW15LnlvdXR1YmUuY29tgh53d3cuY3JlYXRvcmFjYWRlbXkueW91dHViZS5jb22C
B2Nyci5jb22CCSouY3JyLmNvbYIJY3M0aHMuY29tggsqLmNzNGhzLmNvbYIJZGVi
dWcuY29tggsqLmRlYnVnLmNvbYIQZGVidWdwcm9qZWN0LmNvbYISKi5kZWJ1Z3By
b2plY3QuY29tgghkb3MuZ29vZ4IWc3R4bW9zcXVpdG9wcm9qZWN0LmNvbYIYKi5z
dHhtb3NxdWl0b3Byb2plY3QuY29tghZzdHhtb3NxdWl0b3Byb2plY3QubmV0ghgq
LnN0eG1vc3F1aXRvcHJvamVjdC5uZXSCFnN0eG1vc3F1aXRvcHJvamVjdC5vcmeC
GCouc3R4bW9zcXVpdG9wcm9qZWN0Lm9yZ4Iac3Rjcm9peG1vc3F1aXRvcHJvamVj
dC5jb22CHCouc3Rjcm9peG1vc3F1aXRvcHJvamVjdC5jb22CFnN5bnRoaWR0ZXh0
ZGVtby5nb29nbGWCGCouc3ludGhpZHRleHRkZW1vLmdvb2dsZYIXdXN2aW1vc3F1
aXRvcHJvamVjdC5jb22CGSoudXN2aW1vc3F1aXRvcHJvamVjdC5jb22CD3N0eG1v
c3F1aXRvLmNvbYIRKi5zdHhtb3NxdWl0by5jb22CE3N0Y3JvaXhtb3NxdWl0by5j
b22CFSouc3Rjcm9peG1vc3F1aXRvLmNvbYIQdXN2aW1vc3F1aXRvLmNvbYISKi51
c3ZpbW9zcXVpdG8uY29tgg1kZXNpZ24uZ29vZ2xlgg8qLmRlc2lnbi5nb29nbGWC
EmVudmlyb25tZW50Lmdvb2dsZYIUKi5lbnZpcm9ubWVudC5nb29nbGWCDGVwaXNv
ZGljLmNvbYIOKi5lcGlzb2RpYy5jb22CC2ZhbWViaXQuY29tgg0qLmZhbWViaXQu
Y29tggdmYml0LmNvggkqLmZiaXQuY2+CDmZlZWRidXJuZXIuY29tghAqLmZlZWRi
dXJuZXIuY29tggpmZmxpY2suY29tggwqLmZmbGljay5jb22CFmZpbmFuY2VsZWFk
c29ubGluZS5jb22CGCouZmluYW5jZWxlYWRzb25saW5lLmNvbYIJZy10dW4uY29t
ggsqLmctdHVuLmNvbYIVZ2JjLmJlYXR0aGF0cXVvdGUuY29tghcqLmdiYy5iZWF0
dGhhdHF1b3RlLmNvbYIUZ2Vycml0Y29kZXJldmlldy5jb22CFiouZ2Vycml0Y29k
ZXJldmlldy5jb22CHSouaXNzdWVzLmdlcnJpdGNvZGVyZXZpZXcuY29tgg5nZXRi
dW1wdG9wLmNvbYIQKi5nZXRidW1wdG9wLmNvbYIRZ2RtLXNpYS1kZW1vLmdvb2eC
EyouZ2RtLXNpYS1kZW1vLmdvb2eCDGdpcHNjb3JwLmNvbYIOKi5naXBzY29ycC5j
b22CDWdsb2JhbGVkdS5vcmeCDyouZ2xvYmFsZWR1Lm9yZ4IQZ29uZ2xjaHVhbmds
Lm5ldIISKi5nb25nbGNodWFuZ2wubmV0gg1nb29nbGUuYmVybGlugg8qLmdvb2ds
ZS5iZXJsaW6CCmdvb2dsZS5vcmeCDCouZ29vZ2xlLm9yZ4IPZ29vZ2xlLnZlbnR1
cmVzghEqLmdvb2dsZS52ZW50dXJlc4IOZ29vZ2xlYXBwcy5jb22CECouZ29vZ2xl
YXBwcy5jb22CE2dvb2dsZWNvbXBhcmUuY28udWuCFSouZ29vZ2xlY29tcGFyZS5j
by51a4IRZ29vZ2xlZGFubWFyay5jb22CEyouZ29vZ2xlZGFubWFyay5jb22CEWdv
b2dsZWZpbmxhbmQuY29tghMqLmdvb2dsZWZpbmxhbmQuY29tgg5nb29nbGVtYXBz
LmNvbYIQKi5nb29nbGVtYXBzLmNvbYIQZ29vZ2xlcGhvdG9zLmNvbYISKi5nb29n
bGVwaG90b3MuY29tgg5nb29nbGVwbGF5LmNvbYIQKi5nb29nbGVwbGF5LmNvbYIO
Z29vZ2xlcGx1cy5jb22CECouZ29vZ2xlcGx1cy5jb22CEWdvb2dsZXN2ZXJpZ2Uu
Y29tghMqLmdvb2dsZXN2ZXJpZ2UuY29tghpnb29nbGV0cmF2ZWxhZHNlcnZpY2Vz
LmNvbYIcKi5nb29nbGV0cmF2ZWxhZHNlcnZpY2VzLmNvbYINZ3JpZGF3YXJlLmFw
cIIPKi5ncmlkYXdhcmUuYXBwggdnc3JjLmlvggkqLmdzcmMuaW+CCmdzdWl0ZS5j
b22CDCouZ3N1aXRlLmNvbYIPaGRycGx1c2RhdGEub3JnghEqLmhkcnBsdXNkYXRh
Lm9yZ4IMaGluZGl3ZWIuY29tgg4qLmhpbmRpd2ViLmNvbYIQaG93dG9nZXRtby5j
by51a4ISKi5ob3d0b2dldG1vLmNvLnVrgg5odG1sNXJvY2tzLmNvbYIQKi5odG1s
NXJvY2tzLmNvbYIIaHdnby5jb22CCiouaHdnby5jb22CDWltcGVybWl1bS5jb22C
DyouaW1wZXJtaXVtLmNvbYIKajJvYmpjLm9yZ4IMKi5qMm9iamMub3JnghNrZXl0
cmFuc3BhcmVuY3kuY29tghUqLmtleXRyYW5zcGFyZW5jeS5jb22CE2tleXRyYW5z
cGFyZW5jeS5mb2+CFSoua2V5dHJhbnNwYXJlbmN5LmZvb4ITa2V5dHJhbnNwYXJl
bmN5Lm9yZ4IVKi5rZXl0cmFuc3BhcmVuY3kub3Jngg9sYXRlbnRsb2dpYy5jb22C
ESoubGF0ZW50bG9naWMuY29tggtsaW5rLmdvb2dsZYINKi5saW5rLmdvb2dsZYIL
bWRpYWxvZy5jb22CDSoubWRpYWxvZy5jb22CEW1mZy1pbnNwZWN0b3IuY29tghMq
Lm1mZy1pbnNwZWN0b3IuY29tgg9tb2JpbGV2aWV3LnBhZ2WCESoubW9iaWxldmll
dy5wYWdlgg5tb29kc3RvY2tzLmNvbYIQKi5tb29kc3RvY2tzLmNvbYIPbjMzOS5h
c3AtY2MuY29tggduZWFyLmJ5ggkqLm5lYXIuYnmCCm9hdXRoei5jb22CDCoub2F1
dGh6LmNvbYIUb21uaWRldmljZWxhYi5nb29nbGWCFioub21uaWRldmljZWxhYi5n
b29nbGWCB29uLmhlcmWCCSoub24uaGVyZYIHb24yLmNvbYIJKi5vbjIuY29tghdv
bmV3b3JsZG1hbnlzdG9yaWVzLmNvbYIZKi5vbmV3b3JsZG1hbnlzdG9yaWVzLmNv
bYIJb3BhbC5nb29nggsqLm9wYWwuZ29vZ4IWcGFnZXNwZWVkbW9iaWxpemVyLmNv
bYIYKi5wYWdlc3BlZWRtb2JpbGl6ZXIuY29tgg1wYWdldmlldy5tb2Jpgg8qLnBh
Z2V2aWV3Lm1vYmmCFHBhcnR5bGlrZWl0czE5ODYub3JnghYqLnBhcnR5bGlrZWl0
czE5ODYub3Jngg5wYXhsaWNlbnNlLm9yZ4IQKi5wYXhsaWNlbnNlLm9yZ4IMcGVu
amEuZ29vZ2xlgg4qLnBlbmphLmdvb2dsZYIacGluZy5mZWVkYnVybmVyLmdvb2ds
ZS5jb22CDHBpdHRwYXR0LmNvbYIOKi5waXR0cGF0dC5jb22CEnBvbHltZXJwcm9q
ZWN0Lm9yZ4IUKi5wb2x5bWVycHJvamVjdC5vcmeCD3BvcHVsb3VzLnN0dWRpb4IR
Ki5wb3B1bG91cy5zdHVkaW+CC3Bvc3RpbmkuY29tgg0qLnBvc3RpbmkuY29tgg9x
dWVzdHZpc3VhbC5jb22CESoucXVlc3R2aXN1YWwuY29tggtxdWlrc2VlLmNvbYIN
Ki5xdWlrc2VlLmNvbYIRcXVpY2tzaGFyZS5nb29nbGWCEyoucXVpY2tzaGFyZS5n
b29nbGWCHHF1b3RlcHJveHkuYmVhdHRoYXRxdW90ZS5jb22CHioucXVvdGVwcm94
eS5iZWF0dGhhdHF1b3RlLmNvbYIKcmF4aXVtLmNvbYIMKi5yYXhpdW0uY29tgg1y
ZWNhcHRjaGEubmV0gg8qLnJlY2FwdGNoYS5uZXSCCnJldm9sdi5jb22CDCoucmV2
b2x2LmNvbYIPcmlkZXBlbmd1aW4uY29tghEqLnJpZGVwZW5ndWluLmNvbYIWcm9v
dG11c2ljLmJhbmRwYWdlLmNvbYIQd3d3LmJhbmRwYWdlLmNvbYIScy5zdmMtMS5n
b29nbGUuY29tghQqLnMuc3ZjLTEuZ29vZ2xlLmNvbYIKc2FnZXR2LmNvbYIMKi5z
YWdldHYuY29tggpzYXlub3cuY29tggwqLnNheW5vdy5jb22CC3NjaGVtZXIuY29t
gg0qLnNjaGVtZXIuY29tghRzY3JlZW53aXNldHJlbmRzLmNvbYIWKi5zY3JlZW53
aXNldHJlbmRzLmNvbYIZc2NyZWVud2lzZXRyZW5kc3BhbmVsLmNvbYIbKi5zY3Jl
ZW53aXNldHJlbmRzcGFuZWwuY29tghdzZWFyY2hwbGF5Z3JvdW5kLmdvb2dsZYIZ
Ki5zZWFyY2hwbGF5Z3JvdW5kLmdvb2dsZYIMc2hhcmUuZ29vZ2xlgg4qLnNoYXJl
Lmdvb2dsZYIOc3RyYXRvem9uZS5jb22CECouc3RyYXRvem9uZS5jb22CEHN1cHBs
aWVycy5nb29nbGWCEiouc3VwcGxpZXJzLmdvb2dsZYIScmV3YXJkcy5nb29nbGUu
Y29tghQqLnJld2FyZHMuZ29vZ2xlLmNvbYIMc25hcHNlZWQuY29tgg4qLnNuYXBz
ZWVkLmNvbYINc29sdmVmb3J4LmNvbYIPKi5zb2x2ZWZvcnguY29tgg9zcGFya2lm
eS5nb29nbGWCESouc3BhcmtpZnkuZ29vZ2xlgg1zeW5lcmd5c2UuY29tgg8qLnN5
bmVyZ3lzZS5jb22CEXRhZ3N1cHBvcnQuZ29vZ2xlghMqLnRhZ3N1cHBvcnQuZ29v
Z2xlghJ0aGVjbGV2ZXJzZW5zZS5jb22CFCoudGhlY2xldmVyc2Vuc2UuY29tghR0
aGlua3F1YXJ0ZXJseS5jby51a4IWKi50aGlua3F1YXJ0ZXJseS5jby51a4ISdGhp
bmtxdWFydGVybHkuY29tghQqLnRoaW5rcXVhcnRlcmx5LmNvbYILdHhjbG91ZC5u
ZXSCDSoudHhjbG91ZC5uZXSCCXR4dmlhLmNvbYILKi50eHZpYS5jb22CDXVzZXBs
YW5uci5jb22CDyoudXNlcGxhbm5yLmNvbYINdjhwcm9qZWN0Lm9yZ4IPKi52OHBy
b2plY3Qub3Jngg52ZWxvc3RyYXRhLmNvbYIQKi52ZWxvc3RyYXRhLmNvbYIZdmlk
ZW9yZXZpZXdjb25zb2xlLmdvb2dsZYIbKi52aWRlb3Jldmlld2NvbnNvbGUuZ29v
Z2xlgg92aXJ0dWFsLWFwcC5jb22CESoudmlydHVhbC1hcHAuY29tghV2aXJ0dWFs
YXBwZGVsaXZlcnkuY2+CFyoudmlydHVhbGFwcGRlbGl2ZXJ5LmNvghZ2aXJ0dWFs
YXBwZGVsaXZlcnkuY29tghgqLnZpcnR1YWxhcHBkZWxpdmVyeS5jb22CFXZpcnR1
YWxhcHBkZWxpdmVyeS5pb4IXKi52aXJ0dWFsYXBwZGVsaXZlcnkuaW+CFnZpcnR1
YWxhcHBkZWxpdmVyeS5uZXSCGCoudmlydHVhbGFwcGRlbGl2ZXJ5Lm5ldIIWdmly
dHVhbGFwcGRlbGl2ZXJ5Lm9yZ4IYKi52aXJ0dWFsYXBwZGVsaXZlcnkub3Jnggp3
YWxsZXQuY29tggwqLndhbGxldC5jb22CCXdheW1vLmNvbYILKi53YXltby5jb22C
CHdhemUuY29tggoqLndhemUuY29tghR3ZWJhcHBmaWVsZGd1aWRlLmNvbYIWKi53
ZWJhcHBmaWVsZGd1aWRlLmNvbYIKd2ViZ3B1LmRldoIMKi53ZWJncHUuZGV2ggl3
ZWJncHUuaW+CCyoud2ViZ3B1LmlvghJ3ZWx0d2VpdHdhY2hzZW4uZGWCFnd3dy53
ZWx0d2VpdHdhY2hzZW4uZGWCD3doYXRicm93c2VyLm9yZ4IRKi53aGF0YnJvd3Nl
ci5vcmeCDXdvbWVud2lsbC5jb22CDyoud29tZW53aWxsLmNvbYIMd29tZW53aWxs
Lmlkgg4qLndvbWVud2lsbC5pZIIMd29tZW53aWxsLmlugg4qLndvbWVud2lsbC5p
boIQd29tZW53aWxsLmNvbS5icoISKi53b21lbndpbGwuY29tLmJyggx3b21lbndp
bGwubXiCDioud29tZW53aWxsLm14ghV3b3JrYmVuY2hwbGF0Zm9ybS5jb22CFyou
d29ya2JlbmNocGxhdGZvcm0uY29tghZ3b3JrYmVuY2hlZHVjYXRpb24uY29tghgq
LndvcmtiZW5jaGVkdWNhdGlvbi5jb22CFndvcmtiZW5jaGVkdWNhdGlvbi5uZXSC
GCoud29ya2JlbmNoZWR1Y2F0aW9uLm5ldIIKd3JrYm5jaC5pb4IMKi53cmtibmNo
Lmlvgg13b3JkLWxlbnMuY29tgg8qLndvcmQtbGVucy5jb22CDHdvcmRsZW5zLmNv
bYIOKi53b3JkbGVucy5jb22CDHdvcmRsZW5zLm5ldIIOKi53b3JkbGVucy5uZXSC
CXguY29tcGFueYILKi54LmNvbXBhbnmCBngudGVhbYIIKi54LnRlYW2CDHh2aWFk
dWN0LmFwcIIOKi54dmlhZHVjdC5hcHCCGHlvdXR1YmVtb2JpbGVzdXBwb3J0LmNv
bYIaKi55b3V0dWJlbW9iaWxlc3VwcG9ydC5jb22CFHp1a3VuZnRzd2Vya3N0YXR0
LmRlghh3d3cuenVrdW5mdHN3ZXJrc3RhdHQuZGWCICoubm9ydGhhbWVyaWNhLmFw
aWdlZS5nb29nbGUuY29tghMqLmFwaWdlZS5nb29nbGUuY29tghVhY2NvdW50cy5t
YW5kaWFudC5jb22CGHByb2FjdGl2ZS52aXJ1c3RvdGFsLmNvbYIaKi5wcm9hY3Rp
dmUudmlydXN0b3RhbC5jb22CIyoubG9va2VyLXN0YWdpbmcuY2hyb25pY2xlLnNl
Y3VyaXR5gg14d2ZhcHAuZ29vZ2xlgg8qLnh3ZmFwcC5nb29nbGWCGmJhbmR3aWR0
aC52b2ljZS5nb29nbGUuY29tghZhdXRvZGF0YXRvb2xraXQuZ29vZ2xlghgqLmF1
dG9kYXRhdG9vbGtpdC5nb29nbGUwEwYDVR0gBAwwCjAIBgZngQwBAgEwNgYDVR0f
BC8wLTAroCmgJ4YlaHR0cDovL2MucGtpLmdvb2cvd3IyLzc1cjRaeUEzdkEwLmNy
bDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AJaXZL9VWJet90OHaDcIQnfp8DrV
9qTzNm5GpD8PyqnGAAABmuUh8IcAAAQDAEcwRQIhAKMKc2Pg82rIC7gRbHBP7grc
FrP7i9pDC20eZ45TkJz+AiA33trHgpdHLGJlbWgSvEMUqsMq4KLZU9upgBOx2twf
CgB3ABaDLavwqSUPD/A6pUX/yL/II9CHS/YEKSf45x8zE/X6AAABmuUh8IcAAAQD
AEgwRgIhAOOqQPf0ffl4qWNLALvpVKuBguKvTSn+VVsVMz9uZtrMAiEApBNKfc+z
e0mkWsUWI577e7qY4oCxDGfHvGPoxzHyWswwDQYJKoZIhvcNAQELBQADggEBAEaz
5My+LzNViBNOy+qnBSW24RMCIVbV3nZQylZQepe/pcrlUPafEMzEZgtQCNFPUW9J
hROXdFRKJ0gIFHvORkC05C+J1QTi1zB54LSdFDTjf+uJ2IeFdPa5yVVTspGoF9c9
3O0xuJrNYcptbxiH7Ql6ZnvHvClCaEccdSwYUc51sU+2l5hg2CgWgFNKJ+GRoBgj
UNPG4mrL1KcESG4UkYWsFGzR8ucqOLeYSjDqknaJIGXJai92QFBEgiu3hYyEl17Q
69IfkShsBWM0gz5yTZUrqURfllKhB+tuqsAgpx5UvcNd8aUML/IFTJZneenMxvh+
XrorFb9WOeOLA50fHJ4=
-----END CERTIFICATE-----
 1 s:C=US, O=Google Trust Services, CN=WR2
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
-----BEGIN CERTIFICATE-----
MIIFCzCCAvOgAwIBAgIQf/AFoHxM3tEArZ1mpRB7mDANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIw
MTQwMDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNl
cnZpY2VzMQwwCgYDVQQDEwNXUjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCp/5x/RR5wqFOfytnlDd5GV1d9vI+aWqxG8YSau5HbyfsvAfuSCQAWXqAc
+MGr+XgvSszYhaLYWTwO0xj7sfUkDSbutltkdnwUxy96zqhMt/TZCPzfhyM1IKji
aeKMTj+xWfpgoh6zySBTGYLKNlNtYE3pAJH8do1cCA8Kwtzxc2vFE24KT3rC8gIc
LrRjg9ox9i11MLL7q8Ju26nADrn5Z9TDJVd06wW06Y613ijNzHoU5HEDy01hLmFX
xRmpC5iEGuh5KdmyjS//V2pm4M6rlagplmNwEmceOuHbsCFx13ye/aoXbv4r+zgX
FNFmp6+atXDMyGOBOozAKql2N87jAgMBAAGjgf4wgfswDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBTeGx7teRXUPjckwyG77DQ5bUKyMDAfBgNVHSMEGDAWgBTk
rysmcRorSCeFL1JmLO/wiRNxPjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAKG
GGh0dHA6Ly9pLnBraS5nb29nL3IxLmNydDArBgNVHR8EJDAiMCCgHqAchhpodHRw
Oi8vYy5wa2kuZ29vZy9yL3IxLmNybDATBgNVHSAEDDAKMAgGBmeBDAECATANBgkq
hkiG9w0BAQsFAAOCAgEARXWL5R87RBOWGqtY8TXJbz3S0DNKhjO6V1FP7sQ02hYS
TL8Tnw3UVOlIecAwPJQl8hr0ujKUtjNyC4XuCRElNJThb0Lbgpt7fyqaqf9/qdLe
SiDLs/sDA7j4BwXaWZIvGEaYzq9yviQmsR4ATb0IrZNBRAq7x9UBhb+TV+PfdBJT
DhEl05vc3ssnbrPCuTNiOcLgNeFbpwkuGcuRKnZc8d/KI4RApW//mkHgte8y0YWu
ryUJ8GLFbsLIbjL9uNrizkqRSvOFVU6xddZIMy9vhNkSXJ/UcZhjJY1pXAprffJB
vei7j+Qi151lRehMCofa6WBmiA4fx+FOVsV2/7R6V2nyAiIJJkEd2nSi5SnzxJrl
Xdaqev3htytmOPvoKWa676ATL/hzfvDaQBEcXd2Ppvy+275W+DKcH0FBbX62xevG
iza3F4ydzxl6NJ8hk8R+dDXSqv1MbRT1ybB5W0k8878XSOjvmiYTDIfyc9acxVJr
Y/cykHipa+te1pOhv7wYPYtZ9orGBV5SGOJm4NrB3K1aJar0RfzxC3ikr7Dyc6Qw
qDTBU39CluVIQeuQRgwG3MuSxl7zRERDRilGoKb8uY45JzmxWuKxrfwT/478JuHU
/oTxUFqOl2stKnn7QGTq8z29W+GgBLCXSBxC9epaHM0myFH/FJlniXJfHeytWt0=
-----END CERTIFICATE-----
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIwMDYx
OTAwMDA0MloXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIx
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63
ladAPKH9gvl9MgaCcfb2jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwS
iV6nqlKr+CMny6SxnGPb15l+8Ape62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351k
KSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6z1kZ1q+PsAewnjHxgsHA3y6mbWwZ
DrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogrFZYJsuB6jC511pzrp1Zk
j5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8UpmvMrUpsyUqtEj5
cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB0esW
CruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499
iYH6TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35Ei
Eua++tgy/BBjFFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbap
sZWwpbkNFhHax2xIPEDgfg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b
9f6BQdgAmD06yK56mDcYBZUCAwEAAaOCATgwggE0MA4GA1UdDwEB/wQEAwIBhjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTkrysmcRorSCeFL1JmLO/wiRNxPjAf
BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzBgBggrBgEFBQcBAQRUMFIw
JQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnBraS5nb29nL2dzcjEwKQYIKwYBBQUH
MAKGHWh0dHA6Ly9wa2kuZ29vZy9nc3IxL2dzcjEuY3J0MDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwucGtpLmdvb2cvZ3NyMS9nc3IxLmNybDA7BgNVHSAENDAy
MAgGBmeBDAECATAIBgZngQwBAgIwDQYLKwYBBAHWeQIFAwIwDQYLKwYBBAHWeQIF
AwMwDQYJKoZIhvcNAQELBQADggEBADSkHrEoo9C0dhemMXoh6dFSPsjbdBZBiLg9
NR3t5P+T4Vxfq7vqfM/b5A3Ri1fyJm9bvhdGaJQ3b2t6yMAYN/olUazsaL+yyEn9
WprKASOshIArAoyZl+tJaox118fessmXn1hIVw41oeQa1v1vg4Fv74zPl6/AhSrw
9U5pCZEt4Wi4wStz6dTZ/CLANx8LZh1J7QJVj2fhMtfTJr9w4z30Z209fOU0iOMy
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=misc.google.com
issuer=C=US, O=Google Trust Services, CN=WR2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 12879 bytes and written 1665 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

This is the cerrtifcate.pem that I'm using (is the last one in code above).

I'm using NCS 3.1.1 and at the moment I'm NOT using "non-secure TF-M target".
For building project i'm using Target: nrf5340dk/nrf5340/cpuapp
But I do not think that should be the problem because with amazon everything is working good.

Thanking you in advance for everything.
Kind regards.

RE: Firebase connection with nrf5340 and nrf7002 shield

Syed Maysum Abbas Zaidi — Fri, 09 Jan 2026 09:44:48 GMT

Hi,

Thanks for the detailed description. From the log, the failure happens while the device is loading/parsing the CA certificate (Failed to parse CA certificate), before the TLS handshake with Firebase starts. Since the same code works with the Amazon example, the most likely causes are either (a) an issue with the Firebase CA certificate file after conversion, or (b) the certificate using crypto parameters that require slightly different TLS settings. So to help narrow this down, could you please share the following:

The exact hostname you are connecting to (for example, the Firebase Functions domain).
The exact CA certificate file (.pem) you are provisioning (the one you converted and included in the build).
Your nRF Connect SDK version, and whether you are building the non-secure TF-M target, as in the DevAcademy exercise.

Additionally, from a PC, could you please run the following command and paste the output:

openssl s_client -connect <hostname>:443 -servername <hostname> -showcerts

This will show which certificate chain Firebase is using and help us confirm which CA should be provisioned on the device and once we have this information, we can advise whether this is a certificate conversion issue or if any additional TLS configuration is needed.

Best Regards,
Syed Maysum