• State Not Answered
  • Replies 1 reply
  • Subscribers 85 subscribers
  • Views 196 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 358404
Options

nRF5340+nRF7002: Matter-over-WiFi Commissioning failed with our own generated CD, PAA, PAI, DAC and factory data

Winston A

Hi,

We are using NCS v3.0.2 on nRF5340+nRF7002.

We have an error when doing matter commissioning using our own generated CD, PAA, PAI, DAC and factory data, see error below:

>>pairing ble-wifi 1 myssid mypassword 12345678 3840 --paa-trust-store-path /var/paa-root-certs/
...
...
 [1773905166.510] [9714:9716] [-] Unable to find PAA, err: src/credentials/attestation_verifier/DeviceAttestationVerifier.h:252: CHIP Error 0x0000004A: CA certificate not found, PAI's AKID: 60:98:39:11:8F:E4:03:6E:D3:BD:78:46:F3:0C:9B:D6:A9:1E:36:27
[1773905166.510] [9714:9716] [CTL] Error on commissioning step 'AttestationVerification': 'src/controller/CHIPDeviceController.cpp:1334: CHIP Error 0x00000020: Failed Device Attestation'

What we have done:
Generate Certification Declaration CD:
chip-cert gen-cd \
--key credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem \
--cert credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem \
--out CD.der \
--format-version 1 \
--vendor-id 0x<OURVID> \
--product-id 0x<OURPID> \
--device-type-id 0xA \
--certificate-id ZIG20142ZB330003-24 \
--security-level 0 \
--security-info 0 \
--certification-type 1 \
--version-number 0x2694

convert CD to bytes:
  cat CD.der | xxd -i

CD bytes to file chip_project_config.h 

#ifndef CHIP_USE_DEVICE_CONFIG_CERTIFICATION_DECLARATION
#define CHIP_USE_DEVICE_CONFIG_CERTIFICATION_DECLARATION 1
#endif
#define CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION {0x30, 0x81, 0xe7,.....}



We also generate PAA, PAI, DAC using the commands:
chip-cert gen-att-cert \
--type a \
--subject-cn "ourCompany PAA CN" \
--subject-vid 0x<OURVID> \
--valid-from "2025-06-28 14:23:43" \
--lifetime 7305 \
--out-key Chip-PAA-Key.pem \
--out Chip-PAA-Cert.pem

chip-cert gen-att-cert \
--type i \
--subject-cn "ourCompany PAI CN" \
--subject-vid 0x<OURVID> \
--valid-from "2025-06-28 14:23:43" \
--lifetime 7305 \
--ca-key Chip-PAA-Key.pem \
--ca-cert Chip-PAA-Cert.pem \
--out-key Chip-PAI-Key.pem \
--out Chip-PAI-Cert.pem

chip-cert gen-att-cert \
--type d \
--subject-cn "ourCompany DAC 01" \
--subject-vid 0x<OURVID> \
--subject-pid 0x1 \
--valid-from "2025-06-28 14:23:43" \
--lifetime 7305 \
--ca-key Chip-PAI-Key.pem \
--ca-cert Chip-PAI-Cert.pem \
--out-key Chip-DAC-Key.pem \
--out Chip-DAC-Cert.pem

chip-cert validate-att-cert --dac Chip-DAC-Cert.pem --pai Chip-PAI-Cert.pem --paa Chip-PAA-Cert.pem

openssl x509 -in Chip-PAI-Cert.pem -outform DER -out Chip-PAI-Cert.der
openssl x509 -in Chip-DAC-Cert.pem -outform DER -out Chip-DAC-Cert.der
openssl ec -in Chip-DAC-Key.pem -outform DER -out Chip-DAC-Key.der



Then we generate the factory data:
python scripts/tools/nrfconnect/generate_nrfconnect_chip_factory_data.py \
...
...
...
--dac_cert "Chip-DAC-Cert.der" \
--dac_key "Chip-DAC-Key.der" \
--pai_cert "Chip-PAI-Cert.der" \
....
....
--enable_key 00112233445566778899AABBCCDDEEFF \
--include_passcode \
--overwrite --generate_onboarding


Then we write this factory data to factory_data partition using nrfutil


Questions:
1. in matter commisioing command, we appended the flag --paa-trust-store-path /var/paa-root-certs/ and we copied the PAA certificate to /var/paa-root-certs but from the error logs " Unable to find PAA," and "CA certificate not found", what might be the reason why is this?

note: when using --bypass-attestation-verifier true, the matter commissioning is successful 


2. Is the way we write the CD to chip_project_config.h correct? and also how is CD being used in the application? there is not much documentaion related to this and the examples such as matter_weather_station  

Thanks.
Regards,
  • 0

    Hi, starting with a bullet list with items that might resolve the issue before we dive deeper into the root case. Could you let me know about the results from any of the suggested items below?

    1. in matter commisioing command, we appended the flag --paa-trust-store-path /var/paa-root-certs/ and we copied the PAA certificate to /var/paa-root-certs but from the error logs " Unable to find PAA," and "CA certificate not found", what might be the reason why is this?

    note: when using --bypass-attestation-verifier true, the matter commissioning is successful 

    The error message indicates the commissioner cannot find a PAA certificate matching the PAI's Authority Key Identifier (AKID). Based on the knowledge sources and similar cases, here are the most likely causes:

    1. The PAA certificate file format in /var/paa-root-certs/: The chip-tool's --paa-trust-store-path flag looks for a PAA certificate that matches the PAI and DAC certificates programmed on the device. See CHIP Tool guide. A common issue is that the directory must contain the PAA in the correct format (typically .der or .pem). Make sure you have copied the PAA certificate (e.g., Chip-PAA-Cert.der or Chip-PAA-Cert.pem) to /var/paa-root-certs/  not the key file.
    2. CD signed with test key vs. custom PAA: Looking at your CD generation command, you are signing the CD with the test CD signing key (credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem), but your PAA/PAI/DAC chain uses your own custom certificates. The commissioner validates the entire attestation chain: the CD signature, the DAC, the PAI, and the PAA. If the CD is signed with the test key but the PAA is a custom one (not in the built-in trust store), the attestation verifier may fail to reconcile the chain. See CHIP Tool guide

      Potential fix: You can also use the --cd-trust-store-path flag to point to the directory containing the public key used to validate your CD signature, and --only-allow-trusted-cd-keys true if you want to enforce only your custom CD key. See CHIP Tool guide

    3. A user who resolved a very similar issue noted: "if the certificate is supplied by a third party, the chip-cert tool needs to specify the certificate source using dac-origin-xx-id and declare our own information using xx-id." See this DevZone thread
    4. Also, double-check that the AKID in the PAI certificate correctly matches the Subject Key Identifier (SKID) of the PAA certificate you placed in /var/paa-root-certs/. The error explicitly references the PAI's AKID (60:98:39:11:8F:E4:03:6E:D3:BD:78:46:F3:0C:9B:D6:A9:1E:36:27), meaning the commissioner is looking for a PAA whose SKID matches this value but cannot find it in the provided directory.
    2. Is the way we write the CD to chip_project_config.h correct? and also how is CD being used in the application? there is not much documentaion related to this and the examples such as matter_weather_station  

    Your approach of converting the CD to a byte array and placing it in chip_project_config.h using CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION is the correct method described in the nRF Connect SDK documentation: "In the nRF Connect SDK implementation of Matter, you can configure CD by adding the CHIP_DEVICE_CONFIG_CERTIFICATION_DECLARATION define in the chip_project_config.h file. You can locate the array of bytes related to CD by running the search with the following condition:"

    cat CD.der | xxd -i

    See Storing CD in firmware

    The CD is included in the attestation information packet sent by the device (commissionee) during the Device Attestation procedure. It is a cryptographic document that confirms the device type was certified, and it contains Vendor ID, Certificate ID, certification type, and other fields. Importantly, CD is stored in the application firmware (not in factory data), because it must be updated with each new software version/recertification. See Device Attestation overview

    An alternative to embedding it in chip_project_config.h is to store it in Zephyr's Settings subsystem by enabling CONFIG_CHIP_CERTIFICATION_DECLARATION_STORAGE in prj.conf, which allows updating the CD after programming. See Storing CD in firmware

    Note: Since you are using the test CD signing key, the commissioner's built-in test CD public key will be used to validate it. If you intend to use a production CD key, you must provide the corresponding public key via --cd-trust-store-path.

    Let me know about these items if they are able to help you resolve the problem your phasing or not and I will get back to you

    Kind regards,
    Andreas

Related
Terms of service