This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to use AWS IoT Just In TIme Provisioning(JITP) on nRF9160?

I'm attempting to use AWS IoT Just In TIme Provisioning(JITP), but no luck. Any help.

I tested JITP on my account, not Nordic one, with local mosuqitto client on Mac and it works out.

I know JITP is available on nRF Cloud, but want to use it on my account.

After I flash a firmware and push reset button. I get this error.

***** Booting Zephyr OS v1.14.99-ncs2 *****
The MQTT simple sample started
Deleting certs sec_tag: 16842753
nrf_inbuilt_key_delete(16842753, 0) => result=105
Deleting certs sec_tag: 16842753
nrf_inbuilt_key_delete(16842753, 1) => result=105
Deleting certs sec_tag: 16842753
nrf_inbuilt_key_delete(16842753, 2) => result=105
Deleting certs sec_tag: 16842753
nrf_inbuilt_key_delete(16842753, 3) => result=105
Deleting certs sec_tag: 16842753
nrf_inbuilt_key_delete(16842753, 4) => result=105
Write ca certs sec_tag: 16842753
CA_CERTIFICATE err: 105
LTE Link Connecting ...
LTE Link Connected!
ERROR: getaddrinfo failed 12

nrf_inbuilt_key_delete(16842753, 0) => result=105

This line(105, NRF_ENOBUFS) means buffer is not sufficient according to this page.
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/bsdlib/doc/api.html

How can I solve this? Thanks.

This page explains JITP
https://aws.amazon.com/jp/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/

<certificates.h>

#define CLIENT_ID "555555"

#define CLIENT_PRIVATE_KEY \
"-----BEGIN RSA PRIVATE KEY-----\n" \
.
.
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
.
.
"-----END RSA PRIVATE KEY-----\n"

#define CLIENT_PUBLIC_CERTIFICATE \
"-----BEGIN CERTIFICATE-----\n" \
.
.
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
.
.
"biR8iAb8xoEkb0TyE/UcGFI2\n" \
"-----END CERTIFICATE-----\n" \
"-----BEGIN CERTIFICATE-----\n" \
.
.
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
.
.
"JqvXo+GfWAvo1Zqj7ZGjpc+uNN4B6Kvib5s12PrtWTWfTZEuIHrBNCYs2DxN\n" \
"-----END CERTIFICATE-----\n"

#define CA_CERTIFICATE \
"-----BEGIN CERTIFICATE-----\n" \
.
.
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
"aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
.
.
"-----END CERTIFICATE-----\n"

<prj.conf>

# General config
CONFIG_TEST_RANDOM_GENERATOR=y
CONFIG_REBOOT=y

# Networking
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y

# LTE link control
CONFIG_LTE_LINK_CONTROL=y
CONFIG_LTE_LOCK_BANDS=y
CONFIG_LTE_AUTO_INIT_AND_CONNECT=n

# BSD library
CONFIG_BSD_LIBRARY=y

# AT Host
CONFIG_UART_INTERRUPT_DRIVEN=y
CONFIG_AT_HOST_LIBRARY=n

# MQTT
CONFIG_MQTT_LIB=y
CONFIG_MQTT_LIB_TLS=y

# Appliaction
CONFIG_MQTT_PUB_TOPIC="myTopic/publish"
CONFIG_MQTT_SUB_TOPIC="myTopic/subscribe"
CONFIG_MQTT_CLIENT_ID="555555"
CONFIG_MQTT_BROKER_HOSTNAME="xxxxxxxxxxxx.amazonaws.com"
CONFIG_MQTT_BROKER_PORT=8883

CONFIG_SEC_TAG=16842753

CONFIG_PROVISION_CERTIFICATES=y
CONFIG_CERTIFICATES_FILE="certificates.h"

# Main thread
CONFIG_MAIN_THREAD_PRIORITY=7
CONFIG_MAIN_STACK_SIZE=8192
CONFIG_HEAP_MEM_POOL_SIZE=8192

CONFIG_NO_OPTIMIZATIONS=y

# Disable native network stack to save some memory
CONFIG_NET_IPV4=n
CONFIG_NET_IPV6=n
CONFIG_NET_UDP=n
CONFIG_NET_TCP=n
CONFIG_NET_RX_STACK_SIZE=256
CONFIG_NET_TX_STACK_SIZE=256

<main.c>

.
.
static int provision_certificate(void)
{
#if defined(CONFIG_PROVISION_CERTIFICATES)
#if defined(CONFIG_BSD_LIBRARY)
	{
		int err;

		/* Delete certificates */
		nrf_sec_tag_t sec_tag = (nrf_sec_tag_t) sec_tag_list[0];

		for (nrf_key_mgnt_cred_type_t type = 0; type < 5; type++) {
			printk("Deleting certs sec_tag: %d\n", sec_tag);
			err = nrf_inbuilt_key_delete(sec_tag, type);
			printk("nrf_inbuilt_key_delete(%u, %d) => result=%d\n",
				sec_tag, type, err);
		}

#if defined(CA_CERTIFICATE)
		/* Provision CA Certificate. */
		printk("Write ca certs sec_tag: %d\n", sec_tag);
		err = nrf_inbuilt_key_write(sec_tag,
			NRF_KEY_MGMT_CRED_TYPE_CA_CHAIN,
			CA_CERTIFICATE,
			strlen(CA_CERTIFICATE));
		if (err) {
			printk("CA_CERTIFICATE err: %d\n", err);
			return err;
		}
#endif
#if defined (CLIENT_PRIVATE_KEY)
		/* Provision Private Certificate. */
		printk("Write private cert sec_tag: %d\n", sec_tag);
		err = nrf_inbuilt_key_write(
			sec_tag,
			NRF_KEY_MGMT_CRED_TYPE_PRIVATE_CERT,
			CLIENT_PRIVATE_KEY,
			strlen(CLIENT_PRIVATE_KEY));
		if (err) {
			printk("CLIENT_PRIVATE_KEY err: %d\n", err);
			return err;
		}
#endif
#if defined(CLIENT_PUBLIC_CERTIFICATE)
		/* Provision Public Certificate. */
		printk("Write public cert sec_tag: %d\n", sec_tag);
		err = nrf_inbuilt_key_write(
			sec_tag,
			NRF_KEY_MGMT_CRED_TYPE_PUBLIC_CERT,
			CLIENT_PUBLIC_CERTIFICATE,
			strlen(CLIENT_PUBLIC_CERTIFICATE));
		if (err) {
			printk("CLIENT_PUBLIC_CERTIFICATE err: %d\n",
				err);
			return err;
		}
	}
#endif
#else
	{
		int err;

		err = tls_credential_add(CONFIG_SEC_TAG,
			TLS_CREDENTIAL_CA_CERTIFICATE,
			NRF_CLOUD_CA_CERTIFICATE,
			sizeof(NRF_CLOUD_CA_CERTIFICATE));
		if (err < 0) {
			printk("Failed to register ca certificate: %d\n",
				err);
			return err;
		}
		err = tls_credential_add(CONFIG_SEC_TAG,
			TLS_CREDENTIAL_PRIVATE_KEY,
			NRF_CLOUD_CLIENT_PRIVATE_KEY,
			sizeof(NRF_CLOUD_CLIENT_PRIVATE_KEY));
		if (err < 0) {
			printk("Failed to register private key: %d\n",
				err);
			return err;
		}
		err = tls_credential_add(CONFIG_SEC_TAG,
			TLS_CREDENTIAL_SERVER_CERTIFICATE,
			NRF_CLOUD_CLIENT_PUBLIC_CERTIFICATE,
			sizeof(NRF_CLOUD_CLIENT_PUBLIC_CERTIFICATE));
		if (err < 0) {
			printk("Failed to register public certificate: %d\n",
				err);
			return err;
		}

	}
#endif /* defined(CONFIG_BSD_LIBRARY) */
#endif /* defined(CONFIG_PROVISION_CERTIFICATES) */

	return 0;
}
.
.

Parents
  • Hello,

    can you try to manually delete the certificates by using AT%CMNG? And then rewrite the certificates.

  • I deleted certificates and got this error. Any advice?

    ***** Booting Zephyr OS v1.14.99-ncs2 *****
    The MQTT simple sample started
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 0) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 1) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 2) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 3) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 4) => result=5
    Write ca certs sec_tag: 16842753
    CA_CERTIFICATE err: 5
    LTE Link Connecting ...
    LTE Link Connected!
    ERROR: getaddrinfo failed 12
    

    certificates for JITP has a unique format.

    You need to combine a client certificate and CA certificate to a new client certificate like bellow.

    I guess nRF9160 does not support this format and an error occurs.

    #define CLIENT_PUBLIC_CERTIFICATE \
    "-----BEGIN CERTIFICATE-----\n" \
    .
    .
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    .
    .
    "biR8iAb8xoEkb0TyE/UcGFI2\n" \
    "-----END CERTIFICATE-----\n" \
    "-----BEGIN CERTIFICATE-----\n" \
    .
    .
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    .
    .
    "JqvXo+GfWAvo1Zqj7ZGjpc+uNN4B6Kvib5s12PrtWTWfTZEuIHrBNCYs2DxN\n" \
    "-----END CERTIFICATE-----\n"

Reply
  • I deleted certificates and got this error. Any advice?

    ***** Booting Zephyr OS v1.14.99-ncs2 *****
    The MQTT simple sample started
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 0) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 1) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 2) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 3) => result=5
    Deleting certs sec_tag: 16842753
    nrf_inbuilt_key_delete(16842753, 4) => result=5
    Write ca certs sec_tag: 16842753
    CA_CERTIFICATE err: 5
    LTE Link Connecting ...
    LTE Link Connected!
    ERROR: getaddrinfo failed 12
    

    certificates for JITP has a unique format.

    You need to combine a client certificate and CA certificate to a new client certificate like bellow.

    I guess nRF9160 does not support this format and an error occurs.

    #define CLIENT_PUBLIC_CERTIFICATE \
    "-----BEGIN CERTIFICATE-----\n" \
    .
    .
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    .
    .
    "biR8iAb8xoEkb0TyE/UcGFI2\n" \
    "-----END CERTIFICATE-----\n" \
    "-----BEGIN CERTIFICATE-----\n" \
    .
    .
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    "aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbvvvvvvvvvvvvvvvvvvvvvvvvv\n" \
    .
    .
    "JqvXo+GfWAvo1Zqj7ZGjpc+uNN4B6Kvib5s12PrtWTWfTZEuIHrBNCYs2DxN\n" \
    "-----END CERTIFICATE-----\n"

Children
Related