• State Verified Answer
  • Replies 5 replies
  • Subscribers 87 subscribers
  • Views 270 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 358193
Options

AT%CMNG types 0 and 1 always fail on nRF9151-SMA-DK — error 527

Ibraim

Board: nRF9151-SMA-DK

Modem firmware tested: mfw_nrf9151-ntn_1.0.0-1.alpha and mfw_nrf91x1_2.0.4

nRF Connect SDK version: 3.2.1 Host OS: Windows 11

Problem description:

I am trying to provision TLS certificates for AWS IoT Core onto the nRF9151-SMA-DK modem using AT%CMNG. The Private Key (type 2) writes successfully every time, but Root CA (type 0) and Client Certificate (type 1) always fail regardless of the approach used.

What I have tried:

1. Raw AT commands via Serial Terminal

AT+CFUN=4
AT%CMNG=0,16842753,0,"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
→ ERROR
AT%CMNG=0,16842753,1,"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
→ ERROR
AT%CMNG=0,16842753,2,"-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----\n"
→ OK

2. Python script via pyserial Same result — type 2 succeeds, types 0 and 1 fail.

3. nRF Connect for Desktop — Certificate Manager Same result.

4. Enabled verbose errors with AT+CMEE=2

AT%CMNG=0,16842753,0,"..."
→ +CME ERROR: 527

Error 527 = "Invalid certificate content for write of type 0 or 1" per the AT commands documentation.

5. Tried multiple sec_tags (1, 100, 1000, 12345, 16842753) All return the same error 527 for types 0 and 1.

6. Tried writing a minimal fake certificate to rule out content issues

AT%CMNG=0,1,0,"-----BEGIN CERTIFICATE-----\nMIIBIjAN...\n-----END CERTIFICATE-----\n"
→ +CME ERROR: 527

Even a fake/minimal certificate body fails, so the issue is not specific to the AWS certificate content.

7. Tried AT%XSUDO authentication as per section 14 of the AT commands reference (v1.4)

  • Generated EC P-256 key pair
  • Uploaded public key via AT%XPMNG=0,"..."OK
  • Signed the command body using SHA-256 digest + ECDSA (matching the OpenSSL steps in the documentation)
  • Sent authenticated command:
AT%XSUDO=1229,"<base64_signature>";%CMNG=0,16842753,0,"..."
→ +CME ERROR: 520

Error 520 = "Authentication failed"

Observations:

  • Type 2 (Private Key) works perfectly without any authentication on both firmware versions
  • Type 4 (PSK Identity, plain string) also works
  • Type 0 and 1 fail on every sec_tag, with every firmware version tested, with every certificate content including fake/minimal ones
  • AT%WHOAMI returns ERROR on both firmware versions
  • AT+CFUN=4 is confirmed active before all write attempts
  • The board is the SMA variant (NTN/satellite), originally shipped with mfw_nrf9151-ntn_1.0.0-1.alpha

Questions:

  1. Is AT%CMNG type 0 and 1 write intentionally restricted on the nRF9151-SMA-DK hardware?
  2. Is AT%XSUDO required for types 0 and 1 on this board, and if so, what is the exact expected signing format?
  3. Is there a known issue with mfw_nrf91x1_2.0.4 and certificate writes on the nRF9151-SMA-DK?
  4. Is there a different recommended provisioning flow for the SMA-DK variant specifically?

Any help would be greatly appreciated. Thank you!

Feel free to copy and paste this directly. The more detail you give them upfront the faster they'll be able to help. Good luck and rest well! Slight smile

Parents Reply Children
No Data
Related
Terms of service