• State Not Answered
  • Replies 18 replies
  • Subscribers 76 subscribers
  • Views 4722 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 252526
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF91 How to use Google's primary and backup root CA on the modem?

PopradiArpad

Hi,

I want to connect to Google Cloud IoT with a modified asset_tracker and want the TLS done by the modem like in asset_tracker.

Google has a primary and a backup root CA for IoT and they may switch between the primary and backup certificates at any time without notice

See here cloud.google.com/.../mqtt-bridge

Is it enough to install these certificates (in the right converted form) as type 0 with different sec_tags on the modem?

I hope :)

With kind regards,

Árpád

  • 0 in reply to Simon

    Hi Simon,

    update: The different root CAs should come to different sec_tags installed on the modem and that sec_tags must be referenced from the application software. That's clear me now.

    But I have a problem when I try to verify the peer in the TLS connection:

    struct mqtt_sec_config *tls_config =  &client->transport.tls.config;
tls_config->peer_verify = MQTT_TRANSPORT_SECURE;

    results in EOPNOTSUPP 95 (Operation not supported on socket)

    When I use

    tls_config->peer_verify = TLS_PEER_VERIFY_NONE;

    I can connect.

    The peer verification works on Amazon with its sha256WithRSAEncryption signature. Google's signature for mqtt.2030.ltsapis.goog is an ecdsa-with-SHA256 signature. 

    Is that not supported?

    Is this a bug in the modem software?

    I use the latest one (mfw_nrf9160_1.2.0.zip).

    With best regards,

    Árpád

  • 0 in reply to Simon

    Hi Simon,

    this is not a big problem for me now: this one is much bigger :)

    Best regards,

    Árpád

  • 0

    Currently, a huge portion of the support team (including many of the experts on nRF9160) is on summer vacation, and you may experience delayed answers. My apologies for that.

    I will try to provide you with an answer within this week.

    Best regards,

    Simon

Related
Terms of service