nRF91 How to use Google's primary and backup root CA on the modem?

Has anyone got modem-based certs (the primary and backup minimal set, or the complete set) working with Google Cloud IoT Core on nRF91 (Asset Tracker v2 or otherwise)? It's unclear from this discussion if anyone was successful. It's also unclear what is the proper converted form, and which sets of certs (device and server) should be combined into separate sec_tags. I've tried several combinations and can't get it working.

I'm also modifying the Asset Tracker v2 example, and using the nRF9160 DK with nRF Connect SDK v1.7.1.

I am successfully using Google IoT Core for a project on the nRF91 - I'm using the minimal root CA set described here for mqtt.2030.ltsapis.goog:
https://cloud.google.com/iot/docs/how-tos/mqtt-bridge#downloading_mqtt_server_certificates

I used the modem_key_mgmt_write() method to write the PEM encoded certs during provisioning, then reference the tag list in the TLS config via sec_tag_list.

Note that I had to set TLS_PEER_VERIFY_NONE with modem firmware prior to 1.3.1, I haven't yet tested with MFW1.3.1 to see if I can change it back to TLS_PEER_VERIFY_REQUIRED.

I am successfully using Google IoT Core for a project on the nRF91 - I'm using the minimal root CA set described here for mqtt.2030.ltsapis.goog:
https://cloud.google.com/iot/docs/how-tos/mqtt-bridge#downloading_mqtt_server_certificates

I used the modem_key_mgmt_write() method to write the PEM encoded certs during provisioning, then reference the tag list in the TLS config via sec_tag_list.

Note that I had to set TLS_PEER_VERIFY_NONE with modem firmware prior to 1.3.1, I haven't yet tested with MFW1.3.1 to see if I can change it back to TLS_PEER_VERIFY_REQUIRED.

Hi Rokk Research,

Thanks for confirming that you've gotten it to work. Can you clarify if you've put 3 certs (both of the minimal root CA set certs + the device cert) and the client private key into a single sec_tag? 

I converted each of the Google minimal certs like this: 

openssl x509 -inform DER -outform PEM -in gtsltsr.crt -out gtsltsr.pem

I programmed the certs using the nRF91 device cred utility:

python3 cred.py \
    --CA_cert gtsltsr.pem \
    --CA_cert GSR4.pem \
    --client_cert my_device-cert.pem \
    --client_private_key my_device-private.pem \
    --sec_tag 202 \
    --program_app <path-to-my-app>/build/zephyr/merged.hex

I'm running the code from the google_iot_mqtt sample, called after the modem comes up. I removed the added globalsign.inc cert from the example code. SNTP is successful. DNS resolve for mqtt.2030.ltsapis.goog:8883 is successful.

If I include both Google minimal CA certs (plus the device cert and key) in one sec_tag, I get `could not connect, error -111`.

If I include only the primary cert `gtsltsr.pem` (plus the device cert and key) in one sec_tag, then I get `MQTT connect failed 5`.

If I create separate sec_tags for each of the minimal certs, and another sec_tag for the device cert + key, and reference all 3 sec_tags, I also get `MQTT connect failed 5`.

Thanks,
Jeffrey

Hi Jeffery, I'm not familiar with the cred utility, I used modem_key_mgmt_write() programatically.

I used 2 different tags for the certs - i.e., only 2 certs (primary and backup).