This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Mutiple CA certs to one sever

I have connections to a Azure server that has tree CA available. To be able to talk to the server with .peer_verify = 2; I need to replace the CA one by one and try to figure out what CA is the relevant one. Is there any way to connect multiple CA to one cert pair? Also if writing the priv/client key multiple times with different sec_tag, but then the TLS connection just looks at the first one and sees that it fails and does not continue to the second one.

    sec_tag_list[0] = 4321; // With non working CA
    sec_tag_list[1] = 1234; // With working CA

    my_tls_config.peer_verify = 2;
    my_tls_config.cipher_count = 0;
    my_tls_config.cipher_list = NULL;	
    my_tls_config.seg_tag_list = sec_tag_list;
    my_tls_config.sec_tag_count = 2;
    my_tls_config.hostname = (char *)hostname;

When connecting it only tries the first set of sec_tags. But this brings a lot of overhead since the priv/client cert is written multiple times inside the handler.

How can we manage connections with multiple CA when connecting to one host name?

Possible Workaround:

- Replace CA for each test and test up to 3 times before making a successful connection. But this is not a good workaround

Hoping for more info / suggestions

Parents
  • Hi, and sorry for the slow response.

    This looks like a bug, and I have opened an internal issue and will get back to you when I know more.

    In the meantime, looking at the Azure documentation and this blog post, it seems like the three different CA certificates are used at different locations, based on where your IoT Hub instance is hosted.

    This means that you only need to use one of the certificates if you only use one IoT Hub instance.

    Best regards,

    Didrik

Reply
  • Hi, and sorry for the slow response.

    This looks like a bug, and I have opened an internal issue and will get back to you when I know more.

    In the meantime, looking at the Azure documentation and this blog post, it seems like the three different CA certificates are used at different locations, based on where your IoT Hub instance is hosted.

    This means that you only need to use one of the certificates if you only use one IoT Hub instance.

    Best regards,

    Didrik

Children
Related